Bug 12387 - ruby-will_paginate new security issue CVE-2013-6459
: ruby-will_paginate new security issue CVE-2013-6459
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/581552/
: has_procedure advisory mga3-32-ok mga...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-01-21 20:56 CET by David Walser
Modified: 2014-02-11 23:53 CET (History)
4 users (show)

See Also:
Source RPM: ruby-will_paginate-3.0.3-6.mga4.src.rpm
CVE:


Attachments

Comment 1 Philippe Makowski 2014-01-25 13:22:05 CET
Advisory:
========================

Updated ruby-will_paginate packages fix security vulnerability:
Cross-Site Scripting (XSS) vulnerabilities were found in
will_paginate gem for Ruby, where certain input related to
generated pagination links were not properly sanitised before being
returned. This could be exploited to execute arbitrary HTML and
script code in a user's browser session in context of an affected
site. (CVE-2013-6459).


References:

https://lists.fedoraproject.org/pipermail/package-announce/2014-January/126924.html
CVE Request:
http://seclists.org/oss-sec/2013/q4/550

Updated packages in core/updates_testing:
========================

ruby-will_paginate-doc-3.0.3-3.1.mga3.noarch.rpm
ruby-will_paginate-3.0.3-3.1.mga3.noarch.rpm

from ruby-will_paginate-3.0.3-3.1.mga3.src.rpm


Freeze push asked for ruby-will_paginate-3.0.5-1.mga4
Comment 2 David Walser 2014-01-25 16:30:47 CET
Thanks Philippe!  I'll leave it blocking the tracker until it's pushed in Cauldron.
Comment 3 David Walser 2014-01-25 17:10:38 CET
I don't see a freeze push request on the mailing list.
Comment 4 David Walser 2014-01-25 20:10:34 CET
ruby-will_paginate-3.0.5-1.mga4 uploaded for Cauldron.
Comment 5 claire robinson 2014-02-11 14:53:25 CET
This is really a rails thing so testing will be limited to ensuring it updates cleanly and loads in irb.

Testing complete mga3 32 & 64

$ irb
irb(main):001:0> require 'will_paginate'
=> true
Comment 6 claire robinson 2014-02-11 14:59:09 CET
Advisory uploaded. Validating.

Could sysadmin please push to 3 updates

Thanks
Comment 7 Thomas Backlund 2014-02-11 23:53:06 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0054.html

Note You need to log in before you can comment on or make changes to this bug.