Bug 1510 - ruby-rails security update
Summary: ruby-rails security update
Status: RESOLVED INVALID
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Mageia Bug Squad
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-06-01 20:44 CEST by Jérôme Soyer
Modified: 2011-09-02 20:27 CEST (History)
2 users (show)

See Also:
Source RPM: ruby-rails-2.3.11-2.mga1.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Jérôme Soyer 2011-06-01 20:44:35 CEST 
Package        : rails
Vulnerability  : several vulnerabilities
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2011-0446 CVE-2011-0447
Debian Bug     : 614864

Several vulnerabilities have been discovered in Rails, the Ruby web
application framework. The Common Vulnerabilities and Exposures project
identifies the following problems:

CVE-2011-0446

   Multiple cross-site scripting (XSS) vulnerabilities when JavaScript
   encoding is used, allow remote attackers to inject arbitrary web
   script or HTML.

CVE-2011-0447

   Rails does not properly validate HTTP requests that contain an
   X-Requested-With header, which makes it easier for remote attackers
   to conduct cross-site request forgery (CSRF) attacks.
Manuel Hiebel 2011-08-30 09:51:54 CEST

CC: (none) => shikamaru

Comment 1 Sander Lepik 2011-09-02 20:27:13 CEST 
These issues should be fixed in 2.3.11 that we ship.

http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4

Reopen if you don't think so but Debian had 2.3.5 and older versions, that's why they had to patch.

Status: NEW => RESOLVED
CC: (none) => sander.lepik
Resolution: (none) => INVALID
Note You need to log in before you can comment on or make changes to this bug.