[Bug 870846] Re: several vulnerabilities in rails

Launchpad Bug Tracker Wed, 12 Oct 2011 13:11:22 -0700

This bug was fixed in the package rails - 2.3.5-1.1ubuntu0.1

---------------
rails (2.3.5-1.1ubuntu0.1) maverick-security; urgency=low


  * SECURITY UPDATE: multiple cross-site scripting (XSS) vulnerabilities in
    the mail_to helper
    - Add 0001-Be-sure-to-javascript_escape-the-email-address-to-pr.patch
      from Debian and fix Debian bug #629067 by replacing .html_safe with
      html_escape()
    - 
https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f02a48ede8315f81
    - CVE-2011-0446
    - LP: #870846
  * SECURITY UPDATE: rails does not properly validate HTTP requests that
    contain an X-Requested-With header
    - Add 0002-Change-the-CSRF-whitelisting-to-only-apply-to-get-re.patch
      from Debian
    - 
https://groups.google.com/group/rubyonrails-security/browse_thread/thread/2d95a3cc23e03665
    - CVE-2011-0447
  * SECURITY UPDATE: multiple SQL injection vulnerabilities in the
    quote_table_name method in the ActiveRecord adapters
    - Add CVE-2011-2930.patch from Debian
    - 
https://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b
    - CVE-2011-2930
  * SECURITY UPDATE: cross-site scripting (XSS) vulnerability in the
    strip_tags helper
    - Add CVE-2011-2931.patch from Debian
    - 
https://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12
    - CVE-2011-2931
  * SECURITY UPDATE: cross-site scripting vulnerability which allows remote
    attackers to inject arbitrary web script or HTML via a malformed Unicode 
string
    - Add CVE-2011-2932.patch, backported from upstream
    - 
https://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195
    - CVE-2011-2932
  * SECURITY UPDATE: response splitting vulnerability
    - Add CVE-2011-3186.patch from Debian
    - 
https://groups.google.com/group/rubyonrails-security/browse_thread/thread/6ffc93bde0298768
    - CVE-2011-3186
 -- Felix Geyer <[email protected]>   Wed, 12 Oct 2011 18:48:13 +0200

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/870846

Title:
  several vulnerabilities in rails

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rails/+bug/870846/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 870846] Re: several vulnerabilities in rails

Reply via email to