SUSE-SU-2016:0619-1 Security update for rubygem-activerecord-3_2

This update for rubygem-activerecord-32 fixes the following issues: - CVE-2015-7577: rubygem-activerecord: Nested attributes rejection proc bypass bsc963330...

rubygem-activerecord: Nested attributes rejection proc bypass in Active Record

A flaw was found in the Active Record component's handling of nested attributes in combination with the destroy flag. An attacker could possibly use this flaw to set attributes to invalid values or clear all attributes...

Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2016-3519)

The remote Oracle Linux 6 / 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2016-3519 advisory. - x86/nmi/64: Use DF to avoid userspace RSP confusing nested NMI detection Andy Lutomirski Orabug: 22742507 CVE-2015-5157 - x86/nmi/64: Reorder nested NMI...

Unbreakable Enterprise kernel security update

kernel-uek 3.8.13-118.3.2 - x86/nmi/64: Use DF to avoid userspace RSP confusing nested NMI detection Andy Lutomirski Orabug: 22742507 CVE-2015-5157 - x86/nmi/64: Reorder nested NMI checks Andy Lutomirski Orabug: 22742507 CVE-2015-5157 - x86/nmi/64: Improve nested NMI comments Andy Lutomirski...

CVE-2015-7577

activerecord/lib/activerecord/nestedattributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass...

CVE-2015-7577

activerecord/lib/activerecord/nestedattributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass...

DEBIAN-CVE-2015-7577

activerecord/lib/activerecord/nestedattributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass...

UBUNTU-CVE-2015-7577

activerecord/lib/activerecord/nestedattributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass...

CVE-2015-7577

activerecord/lib/activerecord/nestedattributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass...

Deserialization of untrusted data

activerecord/lib/activerecord/nestedattributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass...

CVE-2015-7577

activerecord/lib/activerecord/nestedattributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass...

CVE-2015-7577

CVE-2015-7577 concerns Ruby on Rails Active Record’s nested_attributes vulnerability. The flaw affects ActiveRecord::NestedAttributes in Rails 3.1.x/3.2.x (before 3.2.22.1), 4.x (before 4.1.14.1 for 4.1.x; 4.2.x before 4.2.5.1), and 5.x (before 5.0.0.beta1.1). The defect allows remote attackers t...

SUSE-SU-2016:0458-1 Security update for rubygem-activerecord-4_2

This update for rubygem-activerecord-42 fixes the following issues: - CVE-2016-0753: Input Validation Circumvention bsc963334 - CVE-2015-7577: Nested attributes rejection proc bypass bsc963330...

Nested attributes rejection proc bypass

When using the nested attributes feature in Active Record you can prevent the destruction of associated records by passing the allowdestroy: false option to the acceptsnestedattributesfor method. The allowdestroy flag prevents the :rejectif proc from being called because it assumes that the recor...

openSUSE Security Update : rubygem-actionpack-3_2 / rubygem-activesupport-3_2 (openSUSE-2016-160)

This update for rubygem-actionpack-32, rubygem-activesupport-32 fixes the following issues : - CVE-2015-7576: Timing attack vulnerability in basic authentication in Action Controller boo963329 - CVE-2016-0752: directory traversal and information leak in Action View boo963332 - CVE-2016-0751:...

openSUSE Security Update : rubygem-actionpack-4_2 / rubygem-actionview-4_2 / rubygem-activemodel-4_2 / etc (openSUSE-2016-159)

This update for rubygem-actionpack-42, rubygem-actionview-42, rubygem-activemodel-42, rubygem-activerecord-42, rubygem-activesupport-42 fixes the following issues : - CVE-2015-7576: Timing attack vulnerability in basic authentication in Action Controller boo963329 - CVE-2016-0752: directory...

HackerOne: Putting link inside link in markdown

Hello. I was playing around in markdown editor and find 1 interesting feature. You can put a link inside link. ololol l l:http://dwq If you do it ololol will be parsed first, then result of parsing will be send outside. Maximum depth of such link inserting is 16. So the slowest thing we can do is...

libEBML Memory Misreference Vulnerability

libEBML is a C++ library for parsing EBML files maintained by the Matroska team. A memory misreference vulnerability exists in the 'EbmlMaster::Read' function of libEBML when parsing deep nested elements of infinite size, which allows remote attackers to exploit the vulnerability to access freed...

DEBIAN-CVE-2015-8789

Use-after-free vulnerability in the EbmlMaster::Read function in libEBML before 1.3.3 allows context-dependent attackers to have unspecified impact via a "deeply nested element with infinite size" followed by another element of an upper level in an EBML document...

CVE-2015-8789

Use-after-free vulnerability in the EbmlMaster::Read function in libEBML before 1.3.3 allows context-dependent attackers to have unspecified impact via a "deeply nested element with infinite size" followed by another element of an upper level in an EBML document...