[SECURITY] Fedora EPEL 5 Update: rubygem-actionpack-2.3.18-1.el5

updates at fedoraproject.org updates at fedoraproject.org
Sun Nov 16 04:17:14 UTC 2014 

--------------------------------------------------------------------------------
Fedora EPEL Update Notification
FEDORA-EPEL-2014-3549
2014-10-22 17:32:00
--------------------------------------------------------------------------------

Name        : rubygem-actionpack
Product     : Fedora EPEL 5
Version     : 2.3.18
Release     : 1.el5
URL         : http://www.rubyonrails.org
Summary     : Web-flow and rendering framework putting the VC in MVC
Description :
Eases web-request routing, handling, and response as a half-way front,
half-way page controller. Implemented with specific emphasis on enabling easy
unit/integration testing that doesn't require a browser.

--------------------------------------------------------------------------------
Update Information:

Rebase to 2.3.18 in EPEL5. This is a security rollup. 

 - Bug 1095122 - CVE-2014-0130
 - Bug 1095125 - CVE-2014-0130
 - Bug 677626 - CVE-2011-0446
 - Bug 677629 - CVE-2011-0446, CVE-2011-0447
 - Bug 677631 - CVE-2011-0447
 - Bug 731435 - CVE-2011-2932
 - Bug 731438  -  CVE-2011-2930
 - Bug 731450 - CVE-2011-2932
 - Bug 731453  -  CVE-2011-2930
 - Bug 744706  - CVE-2010-3933
 - Bug 831583  - CVE-2012-2695
 - Bug 843924  - CVE-2012-3424
 - Bug 847202 - CVE-2013-0156
 - Bug 891468  - CVE-2012-5664
 - Bug 905373 - CVE-2013-0333
 - Bug 921329  - CVE-2013-1854
 - Bug 924297 - CVE-2013-1855, CVE-2013-1857
 - Bug 924318  - CVE-2013-1854
 - Bug 948706  - CVE-2013-0276
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #677626 - CVE-2011-0446 rubygem-actionpack: Multiple XSS flaws via crafted name or email value in the mail_to_helper
        https://bugzilla.redhat.com/show_bug.cgi?id=677626
  [ 2 ] Bug #677631 - CVE-2011-0447 rubygem-actionpack: CSRF flaws due improper validation of HTTP headers containing X-Requested-With header
        https://bugzilla.redhat.com/show_bug.cgi?id=677631
  [ 3 ] Bug #731435 - CVE-2011-2932 rubygem-activesupport: XSS vulnerability in escaping function (Ruby on Rails)
        https://bugzilla.redhat.com/show_bug.cgi?id=731435
  [ 4 ] Bug #731438 - CVE-2011-2930 rubygem-activerecord: SQL injection vulnerability in quote_table_name (Ruby on Rails)
        https://bugzilla.redhat.com/show_bug.cgi?id=731438
  [ 5 ] Bug #744706 - CVE-2010-3933 rubygem-activerecord: Improper nested attributes management
        https://bugzilla.redhat.com/show_bug.cgi?id=744706
  [ 6 ] Bug #921329 - CVE-2013-1854 rubygem-activerecord: attribute_dos Symbol DoS vulnerability
        https://bugzilla.redhat.com/show_bug.cgi?id=921329
--------------------------------------------------------------------------------

This update can be installed with the "yum" update programs.  Use
su -c 'yum update rubygem-actionpack' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora EPEL GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the epel-package-announce mailing list