logo
DATABASE RESOURCES PRICING ABOUT US

(RHSA-2016:1855) Moderate: rh-ror42 security update

Description

Ruby on Rails is a model-view-controller (MVC) framework for web application development. Action View implements the view component, and Active Record implements the model component. Security Fix(es) in rubygem-actionview: * It was discovered that Action View tag helpers did not escape quotes when using strings declared as HTML safe as attribute values. A remote attacker could use this flaw to conduct a cross-site scripting (XSS) attack. (CVE-2016-6316) Security Fix(es) in rubygem-activerecord: * A flaw was found in the way Active Record handled certain special values in dynamic finders and relations. If a Ruby on Rails application performed JSON parameter parsing, a remote attacker could possibly manipulate search conditions in SQL queries generated by the application. (CVE-2016-6317) Red Hat would like to thank the Ruby on Rails project for reporting these issues. Upstream acknowledges Andrew Carpenter (Critical Juncture) as the original reporter of CVE-2016-6316; and joernchen (Phenoelit) as the original reporter of CVE-2016-6317.


Affected Package


OS OS Version Package Name Package Version
RedHat 7 rh-ror42-rubygem-actionpack 4.2.6-3.el7
RedHat 7 rh-ror42-rubygem-actionpack 4.2.6-3.el7
RedHat 7 rh-ror42-rubygem-actionpack-doc 4.2.6-3.el7
RedHat 7 rh-ror42-rubygem-actionview 4.2.6-3.el7
RedHat 7 rh-ror42-rubygem-activerecord-doc 4.2.6-3.el7
RedHat 7 rh-ror42-rubygem-activerecord 4.2.6-3.el7
RedHat 7 rh-ror42-rubygem-activerecord 4.2.6-3.el7
RedHat 7 rh-ror42-rubygem-actionview 4.2.6-3.el7
RedHat 7 rh-ror42-rubygem-actionview-doc 4.2.6-3.el7

Related