Debian Security Advisory
DSA-2260-1 rails -- several vulnerabilities
- Date Reported:
- 14 Jun 2011
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 545063, Bug 558685.
In Mitre's CVE dictionary: CVE-2009-3086, CVE-2009-4214.
- More information:
Two vulnerabilities were discovered in Ruby on Rails, a web application framework. The Common Vulnerabilities and Exposures project identifies the following problems:
The cookie store may be vulnerable to a timing attack, potentially allowing remote attackers to forge message digests.
A cross-site scripting vulnerability in the strip_tags function allows remote user-assisted attackers to inject arbitrary web script.
For the oldstable distribution (lenny), these problems have been fixed in version 2.1.0-7+lenny0.2.
For the other distributions, these problems have been fixed in version 2.2.3-2.
We recommend that you upgrade your rails packages.