Insecure Random Number Generation

jRuby is vulnerable to insecure random number generation. The library does not use a pseudo-random salt when when generating a hash, causing the hash generated to be easier to predict...

Debian DLA-209-1 : jruby security update

JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service CPU consumption via crafted input to an application that maintains a hash table. Note: This update includes...

[SECURITY] [DLA 209-1] jruby security update

Package : jruby Version : 1.5.1-1+deb6u1 CVE ID : CVE-2011-4838 Debian Bug : 686867 JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service CPU consumption via crafted...

DLA-209-1 jruby - security update

Bulletin has no description...

JRuby Sandbox 0.2.2 - Sandbox Escape

No description provided by source. Phenoelit Advisory wir-haben-auch-mal-was-gefunden 0815 +-+++ Authors joernchen joernchen phenoelit de Phenoelit Group http://www.phenoelit.de Affected Products jruby-sandbox = 0.2.2 https://github.com/omghax/jruby-sandbox Vendor communication 2014-04-22 Send...

JRuby Sandbox 0.2.2 - Sandbox Escape

jruby-sandbox aims to allow safe execution of user given Ruby code within a JRuby 0 runtime. However via import of Java classes it is possible to circumvent those protections and execute arbitrary code outside the sandboxed environment. Versions 0.2.2 and below are affected. Phenoelit Advisory...

JRuby Sandbox 0.2.2 - Sandbox Escape

JRuby Sandbox 0.2.2 - Sandbox Escape Phenoelit Advisory Authors joernchen Phenoelit Group http://www.phenoelit.de Affected Products jruby-sandbox e puts "fail via Ruby ;" end puts "Now for some Java" sand.eval"Kernel.send :javaimport, 'java.lang.ProcessBuilder'" sand.eval"Kernel.send :javaimport,...

JRuby Sandbox 0.2.2 - Sandbox Escape

Phenoelit Advisory Authors joernchen Phenoelit Group http://www.phenoelit.de Affected Products jruby-sandbox e puts "fail via Ruby ;" end puts "Now for some Java" sand.eval"Kernel.send :javaimport, 'java.lang.ProcessBuilder'" sand.eval"Kernel.send :javaimport, 'java.util.Scanner'" sand.eval"s =...

JRuby Sandbox 0.2.2 Bypass

Phenoelit Advisory Authors joernchen Phenoelit Group http://www.phenoelit.de Affected Products jruby-sandbox e puts "fail via Ruby ;" end puts "Now for some Java" sand.eval"Kernel.send :javaimport, 'java.lang.ProcessBuilder'" sand.eval"Kernel.send :javaimport, 'java.util.Scanner'" sand.eval"s =...

Updated ruby-rack-ssl packages fix CVE-2014-2538

Updated ruby-rack-ssl packages fix security vulnerabilities: Cross-site scripting XSS vulnerability in lib/rack/ssl.rb in the rack-ssl gem before 1.4.0 for Ruby allows remote attackers to inject arbitrary web script or HTML via a URI, which might not be properly handled by third-party adapters su...

CVE-2014-2538

Cross-site scripting XSS vulnerability in lib/rack/ssl.rb in the rack-ssl gem before 1.4.0 for Ruby allows remote attackers to inject arbitrary web script or HTML via a URI, which might not be properly handled by third-party adapters such as JRuby-Rack...

CVE-2014-2538

Cross-site scripting XSS vulnerability in lib/rack/ssl.rb in the rack-ssl gem before 1.4.0 for Ruby allows remote attackers to inject arbitrary web script or HTML via a URI, which might not be properly handled by third-party adapters such as JRuby-Rack...

Cross site scripting

Cross-site scripting XSS vulnerability in lib/rack/ssl.rb in the rack-ssl gem before 1.4.0 for Ruby allows remote attackers to inject arbitrary web script or HTML via a URI, which might not be properly handled by third-party adapters such as JRuby-Rack...

CVE-2014-2538

Cross-site scripting XSS vulnerability in lib/rack/ssl.rb in the rack-ssl gem before 1.4.0 for Ruby allows remote attackers to inject arbitrary web script or HTML via a URI, which might not be properly handled by third-party adapters such as JRuby-Rack...

CVE-2014-2538

CVE-2014-2538 describes an XSS vulnerability in the rack-ssl gem’s Ruby component (lib/rack/ssl.rb) prior to version 1.4.0. The issue allows remote attackers to inject arbitrary web script or HTML via a URI, which may not be handled correctly by adapters such as JRuby-Rack. Affected product: rack...

CVE-2014-2538

Cross-site scripting XSS vulnerability in lib/rack/ssl.rb in the rack-ssl gem before 1.4.0 for Ruby allows remote attackers to inject arbitrary web script or HTML via a URI, which might not be properly handled by third-party adapters such as JRuby-Rack...

Important: Red Hat Security Advisory: Fuse ESB Enterprise 7.1.0 update

Fuse ESB Enterprise 7.1.0 roll up patch 1, which fixes multiple security issues and various bugs, is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System CVSS base scores,...

CVE-2014-2538 rubygem rack-ssl: URL error display XSS

Cross-site scripting XSS vulnerability in lib/rack/ssl.rb in the rack-ssl gem before 1.4.0 for Ruby allows remote attackers to inject arbitrary web script or HTML via a URI, which might not be properly handled by third-party adapters such as JRuby-Rack...

FreeBSD : rubygem-rails -- multiple vulnerabilities (db0c4b00-a24c-11e2-9601-000d601460a4)

Ruby on Rails team reports : Rails versions 3.2.13 has been released. This release contains important security fixes. It is recommended users upgrade as soon as possible. Four vulnerabilities have been discovered and fixed : - CVE-2013-1854 Symbol DoS vulnerability in Active Record - CVE-2013-185...

Fedora 17 : rubygem-activesupport-3.0.11-9.fc17 (2013-4130)

Fix for jdom: XML Parsing Vulnerability affecting JRuby users. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional...