Fedora has issued an advisory on January 3:
The issue is fixed in 3.0.5, and Fedora has patches for this:
Mageia 3 is also affected.
Steps to Reproduce:
Updated ruby-will_paginate packages fix security vulnerability:
Cross-Site Scripting (XSS) vulnerabilities were found in
will_paginate gem for Ruby, where certain input related to
generated pagination links were not properly sanitised before being
returned. This could be exploited to execute arbitrary HTML and
script code in a user's browser session in context of an affected
Updated packages in core/updates_testing:
Freeze push asked for ruby-will_paginate-3.0.5-1.mga4
Thanks Philippe! I'll leave it blocking the tracker until it's pushed in Cauldron.
I don't see a freeze push request on the mailing list.
ruby-will_paginate-3.0.5-1.mga4 uploaded for Cauldron.
This is really a rails thing so testing will be limited to ensuring it updates cleanly and loads in irb.
Testing complete mga3 32 & 64
irb(main):001:0> require 'will_paginate'
Advisory uploaded. Validating.
Could sysadmin please push to 3 updates