(RHSA-2016:1855) Moderate: rh-ror42 security update

Ruby on Rails is a model-view-controller (MVC) framework for web application development. Action View implements the view component, and Active Record implements the model component.

Security Fix(es) in rubygem-actionview:

• It was discovered that Action View tag helpers did not escape quotes when using strings declared as HTML safe as attribute values. A remote attacker could use this flaw to conduct a cross-site scripting (XSS) attack. (CVE-2016-6316)

Security Fix(es) in rubygem-activerecord:

• A flaw was found in the way Active Record handled certain special values in dynamic finders and relations. If a Ruby on Rails application performed JSON parameter parsing, a remote attacker could possibly manipulate search conditions in SQL queries generated by the application. (CVE-2016-6317)

Red Hat would like to thank the Ruby on Rails project for reporting these issues. Upstream acknowledges Andrew Carpenter (Critical Juncture) as the original reporter of CVE-2016-6316; and joernchen (Phenoelit) as the original reporter of CVE-2016-6317.