rails -- several vulnerabilities

ID DSA-2260
Type debian
Reporter Debian
Modified 2011-06-14T00:00:00


Two vulnerabilities were discovered in Ruby on Rails, a web application framework. The Common Vulnerabilities and Exposures project identifies the following problems:

The cookie store may be vulnerable to a timing attack, potentially allowing remote attackers to forge message digests.

A cross-site scripting vulnerability in the strip_tags function allows remote user-assisted attackers to inject arbitrary web script.

For the oldstable distribution (lenny), these problems have been fixed in version 2.1.0-7+lenny0.2.

For the other distributions, these problems have been fixed in version 2.2.3-2.

We recommend that you upgrade your rails packages.