Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 370755 (CVE-2011-2197) - <dev-ruby/rails-2.3.12: Potential XSS Vulnerability in Ruby on Rails Applications (CVE-2011-2197)
Summary: <dev-ruby/rails-2.3.12: Potential XSS Vulnerability in Ruby on Rails Applicat...
Alias: CVE-2011-2197
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa]
Depends on: 372391
  Show dependency tree
Reported: 2011-06-09 07:35 UTC by Hans de Graaff
Modified: 2011-10-30 22:38 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2011-06-09 07:35:14 UTC
The XSS prevention support in recent versions Ruby on Rails allows some string operations which, when combined with user supplied data, may leave an 'unsafe string' incorrectly considered safe.  It is unlikely that applications call these methods, however we are shipping new versions today which prevent their use to ensure they're not called unintentionally.

This problem affects all versions of rails: 3.1.0.rc1, 3.0.7, and 2.3.11.

This problem is fixed in Rails 3.1.0.rc2, 3.0.8, and 2.3.12 (with rails_xss)
Comment 1 Hans de Graaff gentoo-dev Security 2011-06-19 12:51:32 UTC
Status update: rails 2.3.12 has been in the tree for a while. 3.0.8 still pending.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-06-20 03:33:16 UTC
Thank you, Hans. Can we stabilize 2.3.12?
Comment 3 Hans de Graaff gentoo-dev Security 2011-06-20 18:32:36 UTC
(In reply to comment #2)
> Thank you, Hans. Can we stabilize 2.3.12?

I think so. I've filed a separate bug for it since it requires some explanation and that bug can also serve as a focus point for any discussion on the stabilization.
Comment 4 Hans de Graaff gentoo-dev Security 2011-07-04 09:39:00 UTC
Rails 3.0.9 is now also in the tree (note that all 3.0.x versions are still marked ~)
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-08-17 20:52:39 UTC
Stabilization completed via bug 372391. Closing noglsa for xss.