Bug 1510

Summary: ruby-rails security update
Product: Mageia Reporter: Jérôme Soyer <saispo>
Component: SecurityAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED INVALID QA Contact:
Severity: normal    
Priority: Normal CC: mageia, shikamaru
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: ruby-rails-2.3.11-2.mga1.src.rpm CVE:
Status comment:

Description Jérôme Soyer 2011-06-01 20:44:35 CEST 
Package        : rails
Vulnerability  : several vulnerabilities
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2011-0446 CVE-2011-0447
Debian Bug     : 614864

Several vulnerabilities have been discovered in Rails, the Ruby web
application framework. The Common Vulnerabilities and Exposures project
identifies the following problems:

CVE-2011-0446

   Multiple cross-site scripting (XSS) vulnerabilities when JavaScript
   encoding is used, allow remote attackers to inject arbitrary web
   script or HTML.

CVE-2011-0447

   Rails does not properly validate HTTP requests that contain an
   X-Requested-With header, which makes it easier for remote attackers
   to conduct cross-site request forgery (CSRF) attacks.
Manuel Hiebel 2011-08-30 09:51:54 CEST

CC: (none) => shikamaru

Comment 1 Sander Lepik 2011-09-02 20:27:13 CEST 
These issues should be fixed in 2.3.11 that we ship.

http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4

Reopen if you don't think so but Debian had 2.3.5 and older versions, that's why they had to patch.

Status: NEW => RESOLVED
CC: (none) => sander.lepik
Resolution: (none) => INVALID