[DRE-maint] Bug#834155: rails: CVE-2016-6316: Possible XSS Vulnerability in Action View
Antonio Terceiro
terceiro at debian.org
Mon Aug 22 17:09:32 UTC 2016
Hi,
On Fri, Aug 12, 2016 at 05:18:55PM +0200, Salvatore Bonaccorso wrote:
> Source: rails
> Version: 2:4.1.8-1
> Severity: important
> Tags: security upstream patch
>
> Hi,
>
> the following vulnerability was published for rails.
>
> CVE-2016-6316[0]:
> Possible XSS Vulnerability in Action View
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2016-6316
> [1] http://seclists.org/oss-sec/2016/q3/260
> [2] https://groups.google.com/forum/#!msg/rubyonrails-security/I-VWr034ouk/gGu2FrCwDAAJ
>
> Please adjust the affected versions in the BTS as needed.
AFAICT you got the versions right already. This issue affects stable,
while the other does not.
For stable, I have prepared a security update, have successfully tested
it on a sample application based on the upstream advisory description.
Attached you will find both the debdiff (rails.diff) and the actual
backported patch (CVE-2016-6316.patch); the later is easier to read than
the diff-in-diff part of the former.
For unstable, both issues will be fixed by 2:4.2.7.1-1 (being uploaded
RSN)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rails.diff
Type: text/x-diff
Size: 2968 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20160822/763e9055/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2016-6316.patch
Type: text/x-diff
Size: 1986 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20160822/763e9055/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20160822/763e9055/attachment.sig>
More information about the Pkg-ruby-extras-maintainers
mailing list