Home page logo
/

oss-sec logo oss-sec mailing list archives

CVE request: ruby on rails flaws (4)
From: Vincent Danen <vdanen () redhat com>
Date: Wed, 17 Aug 2011 10:52:47 -0600

Could we get CVEs assigned to these flaws?  Upstream had requested CVEs
prior to disclosure, but didn't receive any.

http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6

1) Filter Skipping bugs
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/3420ac71aed312d6
https://github.com/rails/rails/commit/5f94b93279f6d0682fafb237c301302c107a9552
https://bugzilla.redhat.com/show_bug.cgi?id=731432

2) SQL Injection issues
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b
https://github.com/rails/rails/commit/8a39f411dc3c806422785b1f4d5c7c9d58e4bf85
https://bugzilla.redhat.com/show_bug.cgi?id=731438

3) Parse error in strip_tags
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12
https://github.com/rails/rails/commit/586a944ddd4d03e66dea1093306147594748037a
https://bugzilla.redhat.com/show_bug.cgi?id=731436

4) UTF-8 escaping vulnerability
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195
https://github.com/rails/rails/commit/bfc432574d0b141fd7fe759edfe9b6771dd306bd
https://bugzilla.redhat.com/show_bug.cgi?id=731435

Thanks!

--
Vincent Danen / Red Hat Security Response Team

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]