[SECURITY] Fedora EPEL 5 Update: rubygem-actionpack-2.1.1-3.el5

Tue Sep 22 22:25:51 UTC 2009

--------------------------------------------------------------------------------
Fedora EPEL Update Notification
FEDORA-EPEL-2009-0500
2009-09-22 21:52:04
--------------------------------------------------------------------------------

Name        : rubygem-actionpack
Product     : Fedora EPEL 5
Version     : 2.1.1
Release     : 3.el5
URL         : http://www.rubyonrails.org
Summary     : Web-flow and rendering framework putting the VC in MVC
Description :
Eases web-request routing, handling, and response as a half-way front,
half-way page controller. Implemented with specific emphasis on enabling easy
unit/integration testing that doesn't require a browser.

--------------------------------------------------------------------------------
Update Information:

A vulnerability is found on Ruby on Rails in the escaping code for the form
helpers, which also affects the rpms shipped in Fedora Project. Attackers who
can inject deliberately malformed unicode strings into the form helpers can
defeat the escaping checks and inject arbitrary HTML. This issue has been tagged
as CVE-2009-3009.    These new rpms will fix this issue.
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #520843 - CVE-2009-3009 ruby-activesupport: XSS vulnerability
        https://bugzilla.redhat.com/show_bug.cgi?id=520843
--------------------------------------------------------------------------------

This update can be installed with the "yum" update programs.  Use
su -c 'yum update rubygem-actionpack' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora EPEL GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------