Summary: | <dev-ruby/rails-2.3.5 XSS weakness in strip_tags (CVE-2009-4214) | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Hans de Graaff <graaff> | ||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | minor | CC: | ruby | ||||||
Priority: | High | ||||||||
Version: | unspecified | ||||||||
Hardware: | All | ||||||||
OS: | All | ||||||||
URL: | http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab | ||||||||
Whiteboard: | B3 [glsa] | ||||||||
Package list: | Runtime testing required: | --- | |||||||
Attachments: |
|
Description
Hans de Graaff
2009-11-27 07:56:06 UTC
Created attachment 211294 [details, diff]
Patch for Rails 2.2.x
Created attachment 211295 [details, diff]
Rails 2.3.x patch
As far as I can tell upstream has only released Rails 2.3.5. If we want to keep the 2.2.x series around we need to patch it ourselves, it seems like. Arches, please test and mark stable: 2.2 slot: =dev-ruby/actionpack-2.2.3-r1 =dev-ruby/rails-2.2.3-r1 Target keywords : "amd64 ia64 ppc ppc64 sparc x86" 2.3 slot: =dev-ruby/activesupport-2.3.5 =dev-ruby/actionpack-2.3.5 =dev-ruby/activeresource-2.3.5 =dev-ruby/actionmailer-2.3.5 =dev-ruby/activerecord-2.3.5 =dev-ruby/rails-2.3.5 Target keywords : "amd64 ia64 ppc ppc64 sparc x86" Please also stabilize dev-ruby/rack-1.0.1. amd64/x86 stable ppc64 done ia64/sparc stable CVE-2009-4214 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4214): Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb. Stable for PPC. GLSA together with #200159, #237385, #247549, #276279, and #283396. Draft alread filed, advisory will be sent tonight. GLSA 200912-02 |