Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE request: ruby on rails flaws (4)
From: Vincent Danen <vdanen () redhat com>
Date: Sat, 20 Aug 2011 00:29:55 -0400 (EDT)

Sorry, there is one more flaw that needs a CVE assignment:

Response splitting flaw in 2.3.x (3.0.0 and later not affected).
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6ffc93bde0298768
https://github.com/rails/rails/commit/11dafeaa7533be26441a63618be93a03869c83a9
https://bugzilla.redhat.com/show_bug.cgi?id=732156

Sorry I missed this one earlier, I was looking at the 3.x advisory page and missed this one.

----- Original Message -----
----- Original Message -----
Could we get CVEs assigned to these flaws? Upstream had requested
CVEs
prior to disclosure, but didn't receive any.

http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6

1) Filter Skipping bugs
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/3420ac71aed312d6
https://github.com/rails/rails/commit/5f94b93279f6d0682fafb237c301302c107a9552
https://bugzilla.redhat.com/show_bug.cgi?id=731432

Use CVE-2011-2929



2) SQL Injection issues
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b
https://github.com/rails/rails/commit/8a39f411dc3c806422785b1f4d5c7c9d58e4bf85
https://bugzilla.redhat.com/show_bug.cgi?id=731438

Use CVE-2011-2930



3) Parse error in strip_tags
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12
https://github.com/rails/rails/commit/586a944ddd4d03e66dea1093306147594748037a
https://bugzilla.redhat.com/show_bug.cgi?id=731436

Use CVE-2011-2931



4) UTF-8 escaping vulnerability
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195
https://github.com/rails/rails/commit/bfc432574d0b141fd7fe759edfe9b6771dd306bd
https://bugzilla.redhat.com/show_bug.cgi?id=731435

Use CVE-2011-2932

-- 
Vincent Danen / Red Hat Security Response Team


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]