Ubuntu
rails package

Bug #870846
Comment #6

Comment 6 for bug 870846

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-10-12:

This bug was fixed in the package rails - 2.2.3-2ubuntu0.1

---------------
rails (2.2.3-2ubuntu0.1) lucid-security; urgency=low

   * SECURITY UPDATE: multiple cross-site scripting (XSS) vulnerabilities in
     the mail_to helper
     - backported fix from upstream:
       actionpack/test/template/url_helper_test.rb
       actionpack/lib/action_view/helpers/url_helper.rb
     - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f02a48ede8315f81
     - CVE-2011-0446
     - LP: #870846
   * SECURITY UPDATE: rails does not properly validate HTTP requests that
     contain an X-Requested-With header
     - patch from upstream:
       actionpack/test/controller/request_forgery_protection_test.rb
       actionpack/lib/action_view/helpers.rb
       actionpack/lib/action_view/helpers/csrf_helper.rb
       actionpack/lib/action_controller/request_forgery_protection.rb
     - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/2d95a3cc23e03665
     - CVE-2011-0447
   * SECURITY UPDATE: multiple SQL injection vulnerabilities in the
     quote_table_name method in the ActiveRecord adapters
     - patch from upstream:
       activerecord/test/cases/base_test.rb
       activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
       activerecord/lib/active_record/connection_adapters/sqlite_adapter.rb
     - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b
     - CVE-2011-2930
   * SECURITY UPDATE: cross-site scripting (XSS) vulnerability in the
     strip_tags helper
     - patch from upstream:
       actionpack/test/controller/html-scanner/sanitizer_test.rb
       actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
     - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12
     - CVE-2011-2931
   * SECURITY UPDATE: cross-site scripting vulnerability which allows remote
     attackers to inject arbitrary web script or HTML via a malformed Unicode string
     - backported fix from upstream:
       actionpack/lib/action_view/template_handlers/erb.rb
       actionpack/test/template/erb_util_test.rb
     - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195
     - CVE-2011-2932
   * SECURITY UPDATE: response splitting vulnerability
     - patch from upstream:
       actionpack/test/controller/content_type_test.rb
       actionpack/lib/action_controller/response.rb
     - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/6ffc93bde0298768
     - CVE-2011-3186
-- Felix Geyer <email address hidden> Sat, 08 Oct 2011 17:26:54 +0200

This bug was fixed in the package rails - 2.2.3-2ubuntu0.1

---------------
rails (2.2.3-2ubuntu0.1) lucid-security; urgency=low

* SECURITY UPDATE: multiple cross-site scripting (XSS) vulnerabilities in
     the mail_to helper
     - backported fix from upstream:
       actionpack/test/template/url_helper_test.rb
       actionpack/lib/action_view/helpers/url_helper.rb
     - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f02a48ede8315f81
     - CVE-2011-0446
     - LP: #870846
   * SECURITY UPDATE: rails does not properly validate HTTP requests that
     contain an X-Requested-With header
     - patch from upstream:
       actionpack/test/controller/request_forgery_protection_test.rb
       actionpack/lib/action_view/helpers.rb
       actionpack/lib/action_view/helpers/csrf_helper.rb
       actionpack/lib/action_controller/request_forgery_protection.rb
     - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/2d95a3cc23e03665
     - CVE-2011-0447
   * SECURITY UPDATE: multiple SQL injection vulnerabilities in the
     quote_table_name method in the ActiveRecord adapters
     - patch from upstream:
       activerecord/test/cases/base_test.rb
       activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
       activerecord/lib/active_record/connection_adapters/sqlite_adapter.rb
     - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b
     - CVE-2011-2930
   * SECURITY UPDATE: cross-site scripting (XSS) vulnerability in the
     strip_tags helper
     - patch from upstream:
       actionpack/test/controller/html-scanner/sanitizer_test.rb
       actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
     - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12
     - CVE-2011-2931
   * SECURITY UPDATE: cross-site scripting vulnerability which allows remote
     attackers to inject arbitrary web script or HTML via a malformed Unicode string
     - backported fix from upstream:
       actionpack/lib/action_view/template_handlers/erb.rb
       actionpack/test/template/erb_util_test.rb
     - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195
     - CVE-2011-2932
   * SECURITY UPDATE: response splitting vulnerability
     - patch from upstream:
       actionpack/test/controller/content_type_test.rb
       actionpack/lib/action_controller/response.rb
     - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/6ffc93bde0298768
     - CVE-2011-3186
 -- Felix Geyer <debfx-pkg@fobos.de>   Sat, 08 Oct 2011 17:26:54 +0200

Ubunturails package

Comment 6 for bug 870846

Ubuntu
rails package