[DRE-maint] Bug#834155: rails: CVE-2016-6316: Possible XSS Vulnerability in Action View
Moritz Muehlenhoff
jmm at inutil.org
Mon Aug 22 17:31:50 UTC 2016
On Mon, Aug 22, 2016 at 02:09:32PM -0300, Antonio Terceiro wrote:
> Hi,
>
> On Fri, Aug 12, 2016 at 05:18:55PM +0200, Salvatore Bonaccorso wrote:
> > Source: rails
> > Version: 2:4.1.8-1
> > Severity: important
> > Tags: security upstream patch
> >
> > Hi,
> >
> > the following vulnerability was published for rails.
> >
> > CVE-2016-6316[0]:
> > Possible XSS Vulnerability in Action View
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2016-6316
> > [1] http://seclists.org/oss-sec/2016/q3/260
> > [2] https://groups.google.com/forum/#!msg/rubyonrails-security/I-VWr034ouk/gGu2FrCwDAAJ
> >
> > Please adjust the affected versions in the BTS as needed.
>
> AFAICT you got the versions right already. This issue affects stable,
> while the other does not.
>
> For stable, I have prepared a security update, have successfully tested
> it on a sample application based on the upstream advisory description.
> Attached you will find both the debdiff (rails.diff) and the actual
> backported patch (CVE-2016-6316.patch); the later is easier to read than
> the diff-in-diff part of the former.
Thanks, please upload to security-master
Cheers,
Moritz
More information about the Pkg-ruby-extras-maintainers
mailing list