Bug 12387 - ruby-will_paginate new security issue CVE-2013-6459
Summary: ruby-will_paginate new security issue CVE-2013-6459
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/581552/
Whiteboard: has_procedure advisory mga3-32-ok mga...
Keywords: validated_update
Depends on:
Reported: 2014-01-21 20:56 CET by David Walser
Modified: 2014-02-11 23:53 CET (History)
4 users (show)

See Also:
Source RPM: ruby-will_paginate-3.0.3-6.mga4.src.rpm
Status comment:


Comment 1 Philippe Makowski 2014-01-25 13:22:05 CET

Updated ruby-will_paginate packages fix security vulnerability:
Cross-Site Scripting (XSS) vulnerabilities were found in
will_paginate gem for Ruby, where certain input related to
generated pagination links were not properly sanitised before being
returned. This could be exploited to execute arbitrary HTML and
script code in a user's browser session in context of an affected
site. (CVE-2013-6459).


CVE Request:

Updated packages in core/updates_testing:


from ruby-will_paginate-3.0.3-3.1.mga3.src.rpm

Freeze push asked for ruby-will_paginate-3.0.5-1.mga4
Comment 2 David Walser 2014-01-25 16:30:47 CET
Thanks Philippe!  I'll leave it blocking the tracker until it's pushed in Cauldron.
Comment 3 David Walser 2014-01-25 17:10:38 CET
I don't see a freeze push request on the mailing list.
Comment 4 David Walser 2014-01-25 20:10:34 CET
ruby-will_paginate-3.0.5-1.mga4 uploaded for Cauldron.
Comment 5 claire robinson 2014-02-11 14:53:25 CET
This is really a rails thing so testing will be limited to ensuring it updates cleanly and loads in irb.

Testing complete mga3 32 & 64

$ irb
irb(main):001:0> require 'will_paginate'
=> true
Comment 6 claire robinson 2014-02-11 14:59:09 CET
Advisory uploaded. Validating.

Could sysadmin please push to 3 updates

Comment 7 Thomas Backlund 2014-02-11 23:53:06 CET
Update pushed:

Note You need to log in before you can comment on or make changes to this bug.