Rails 3.2.16 and 4.0.2 have been released! These two releases contain important security fixes, so please upgrade as soon as possible! In order to make upgrading as smooth as possible, we've only included commits directly related to each security issue. The security fixes in 3.2.16 are: CVE-2013-6417 Unsafe Query Generation Risk CVE-2013-4491 Reflective XSS Vulnerability in Ruby on Rails CVE-2013-6415 XSS Vulnerability in number_to_currency CVE-2013-6414 Denial of Service Vulnerability in Action View The security fixes in 4.0.2 are: CVE-2013-6417 Unsafe Query Generation Risk CVE-2013-4491 Reflective XSS Vulnerability in Ruby on Rails CVE-2013-6415 XSS Vulnerability in number_to_currency CVE-2013-6414 Denial of Service Vulnerability in Action View CVE-2013-6416 XSS Vulnerability in simple_format helper
dev-ruby/i18n-0.6.9 and rails-3.2.16 are now in the tree.
Hans, is 4.0.2 on the way?
(In reply to Yury German from comment #2) > Hans, > > is 4.0.2 on the way? It's here! Rails 4.0.2 now also in the tree. None of these packages are currently stable, so from a maintainer/arch perspective we are done.
Hans, Just to confirm no ebuild for 4.0.2 for x86 is that correct? Want to make sure before asking for stabilization.
(In reply to Yury German from comment #4) > Hans, > > Just to confirm no ebuild for 4.0.2 for x86 is that correct? Want to make > sure before asking for stabilization. Correct: bug 493356 has been filed in October for other arches. There is also no need to ask for stabilization in this bug since we did not have any versions stable before.
CVE-2013-4491 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4491): Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem.
CVE-2013-6417 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6417): actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155. CVE-2013-6416 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6416): Cross-site scripting (XSS) vulnerability in the simple_format helper in actionpack/lib/action_view/helpers/text_helper.rb in Ruby on Rails 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML attribute. CVE-2013-6415 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6415): Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter. CVE-2013-6414 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6414): actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to cause a denial of service (memory consumption) via a header containing an invalid MIME type that leads to excessive caching.
Vulnerable versions have been removed from the tree.
Hans thank you for correcting me on vulnerable version. No GLSA required as current vulnerable version not stable.
