Bug 370755 (CVE-2011-2197)

Summary:	<dev-ruby/rails-2.3.12: Potential XSS Vulnerability in Ruby on Rails Applications (CVE-2011-2197)
Product:	Gentoo Security	Reporter:	Hans de Graaff <graaff>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	alexanderyt, ruby
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications
Whiteboard:	B4 [noglsa]
Package list:		Runtime testing required:	---
Bug Depends on:	372391
Bug Blocks:

Description Hans de Graaff gentoo-dev

2011-06-09 07:35:14 UTC

The XSS prevention support in recent versions Ruby on Rails allows some string operations which, when combined with user supplied data, may leave an 'unsafe string' incorrectly considered safe.  It is unlikely that applications call these methods, however we are shipping new versions today which prevent their use to ensure they're not called unintentionally.

This problem affects all versions of rails: 3.1.0.rc1, 3.0.7, and 2.3.11.

This problem is fixed in Rails 3.1.0.rc2, 3.0.8, and 2.3.12 (with rails_xss)

Comment 1 Hans de Graaff gentoo-dev

2011-06-19 12:51:32 UTC

Status update: rails 2.3.12 has been in the tree for a while. 3.0.8 still pending.

Comment 2 Tim Sammut (RETIRED) gentoo-dev

2011-06-20 03:33:16 UTC

Thank you, Hans. Can we stabilize 2.3.12?

Comment 3 Hans de Graaff gentoo-dev

2011-06-20 18:32:36 UTC

(In reply to comment #2)
> Thank you, Hans. Can we stabilize 2.3.12?

I think so. I've filed a separate bug for it since it requires some explanation and that bug can also serve as a focus point for any discussion on the stabilization.

Comment 4 Hans de Graaff gentoo-dev

2011-07-04 09:39:00 UTC

Rails 3.0.9 is now also in the tree (note that all 3.0.x versions are still marked ~)

Comment 5 Tim Sammut (RETIRED) gentoo-dev

2011-08-17 20:52:39 UTC

Stabilization completed via bug 372391. Closing noglsa for xss.