-
rails (2.2.3-2ubuntu0.1) lucid-security; urgency=low
* SECURITY UPDATE: multiple cross-site scripting (XSS) vulnerabilities in
the mail_to helper
- backported fix from upstream:
actionpack/test/template/url_helper_test.rb
actionpack/lib/action_view/helpers/url_helper.rb
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f02a48ede8315f81
- CVE-2011-0446
- LP: #870846
* SECURITY UPDATE: rails does not properly validate HTTP requests that
contain an X-Requested-With header
- patch from upstream:
actionpack/test/controller/request_forgery_protection_test.rb
actionpack/lib/action_view/helpers.rb
actionpack/lib/action_view/helpers/csrf_helper.rb
actionpack/lib/action_controller/request_forgery_protection.rb
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/2d95a3cc23e03665
- CVE-2011-0447
* SECURITY UPDATE: multiple SQL injection vulnerabilities in the
quote_table_name method in the ActiveRecord adapters
- patch from upstream:
activerecord/test/cases/base_test.rb
activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
activerecord/lib/active_record/connection_adapters/sqlite_adapter.rb
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b
- CVE-2011-2930
* SECURITY UPDATE: cross-site scripting (XSS) vulnerability in the
strip_tags helper
- patch from upstream:
actionpack/test/controller/html-scanner/sanitizer_test.rb
actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12
- CVE-2011-2931
* SECURITY UPDATE: cross-site scripting vulnerability which allows remote
attackers to inject arbitrary web script or HTML via a malformed Unicode string
- backported fix from upstream:
actionpack/lib/action_view/template_handlers/erb.rb
actionpack/test/template/erb_util_test.rb
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195
- CVE-2011-2932
* SECURITY UPDATE: response splitting vulnerability
- patch from upstream:
actionpack/test/controller/content_type_test.rb
actionpack/lib/action_controller/response.rb
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/6ffc93bde0298768
- CVE-2011-3186
-- Felix Geyer <email address hidden> Sat, 08 Oct 2011 17:26:54 +0200
-
rails (2.2.3-2) unstable; urgency=high
* Make sure strip_tags removes tags which start with a non-printable
character. (closes: #558685) [CVE-2009-4214]
* Merge in a few additional encoding changes.
-- Ubuntu Archive Auto-Sync <email address hidden> Thu, 04 Feb 2010 17:27:11 +0000
-
rails (2.2.3-1) unstable; urgency=high
* New upstream release (closes: #545063)
+ Fixes XSS security hole [CVE-2009-3009]
+ Fixes timing issue with cookie store [CVE-2009-3086]
* Remove dependency on ruby-dbi, as it is not required by any of the
sources.
* Correct dependency on fixed libxml-simple-ruby to 1.0.11-2 or later
(closes: #538982)
* debian/control
+ Change section from web to ruby
+ Updated to debhelper 7.0+
+ Standards updated to 3.8.3 - no changes
-- Scott Kitterman <email address hidden> Fri, 11 Sep 2009 13:53:42 -0500
