ruby on rails to 2.3.16 (important)

ID OPENSUSE-SU-2013:0280-1
Type suse
Reporter Suse
Modified 2013-02-12T11:04:29


This update updates the RubyOnRails 2.3 stack to 2.3.16.

Security and bugfixes were done, foremost: CVE-2013-0333: A JSON sql/code injection problem was fixed. CVE-2012-5664: A SQL Injection Vulnerability in Active Record was fixed. CVE-2012-2695: A SQL injection via nested hashes in conditions was fixed. CVE-2013-0155: Unsafe Query Generation Risk in Ruby on Rails was fixed. CVE-2013-0156: Multiple vulnerabilities in parameter parsing in Action Pack were fixed. CVE-2012-5664: options hashes should only be extracted if there are extra parameters CVE-2012-2695: Fix SQL injection via nested hashes in conditions CVE-2013-0156: Hash.from_xml raises when it encounters type="symbol" or type="yaml". Use Hash.from_trusted_xml to parse this XM