Debian Security Advisory

DSA-2260-1 rails -- several vulnerabilities

Date Reported:
14 Jun 2011
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 545063, Bug 558685.
In Mitre's CVE dictionary: CVE-2009-3086, CVE-2009-4214.
More information:

Two vulnerabilities were discovered in Ruby on Rails, a web application framework. The Common Vulnerabilities and Exposures project identifies the following problems:

  • CVE-2009-3086

    The cookie store may be vulnerable to a timing attack, potentially allowing remote attackers to forge message digests.

  • CVE-2009-4214

    A cross-site scripting vulnerability in the strip_tags function allows remote user-assisted attackers to inject arbitrary web script.

For the oldstable distribution (lenny), these problems have been fixed in version 2.1.0-7+lenny0.2.

For the other distributions, these problems have been fixed in version 2.2.3-2.

We recommend that you upgrade your rails packages.