[SECURITY] Fedora EPEL 5 Update: rubygem-activerecord-2.3.18-1.el5

updates at fedoraproject.org updates at fedoraproject.org
Sun Nov 16 04:17:15 UTC 2014 

--------------------------------------------------------------------------------
Fedora EPEL Update Notification
FEDORA-EPEL-2014-3549
2014-10-22 17:32:00
--------------------------------------------------------------------------------

Name        : rubygem-activerecord
Product     : Fedora EPEL 5
Version     : 2.3.18
Release     : 1.el5
URL         : http://www.rubyonrails.org
Summary     : Implements the ActiveRecord pattern for ORM
Description :
Implements the ActiveRecord pattern (Fowler, PoEAA) for ORM. It ties database
tables and classes together for business objects, like Customer or
Subscription, that can find, save, and destroy themselves without resorting to
manual SQL.

--------------------------------------------------------------------------------
Update Information:

Rebase to 2.3.18 in EPEL5. This is a security rollup. 

 - Bug 1095122 - CVE-2014-0130
 - Bug 1095125 - CVE-2014-0130
 - Bug 677626 - CVE-2011-0446
 - Bug 677629 - CVE-2011-0446, CVE-2011-0447
 - Bug 677631 - CVE-2011-0447
 - Bug 731435 - CVE-2011-2932
 - Bug 731438  -  CVE-2011-2930
 - Bug 731450 - CVE-2011-2932
 - Bug 731453  -  CVE-2011-2930
 - Bug 744706  - CVE-2010-3933
 - Bug 831583  - CVE-2012-2695
 - Bug 843924  - CVE-2012-3424
 - Bug 847202 - CVE-2013-0156
 - Bug 891468  - CVE-2012-5664
 - Bug 905373 - CVE-2013-0333
 - Bug 921329  - CVE-2013-1854
 - Bug 924297 - CVE-2013-1855, CVE-2013-1857
 - Bug 924318  - CVE-2013-1854
 - Bug 948706  - CVE-2013-0276
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #677626 - CVE-2011-0446 rubygem-actionpack: Multiple XSS flaws via crafted name or email value in the mail_to_helper
        https://bugzilla.redhat.com/show_bug.cgi?id=677626
  [ 2 ] Bug #677631 - CVE-2011-0447 rubygem-actionpack: CSRF flaws due improper validation of HTTP headers containing X-Requested-With header
        https://bugzilla.redhat.com/show_bug.cgi?id=677631
  [ 3 ] Bug #731435 - CVE-2011-2932 rubygem-activesupport: XSS vulnerability in escaping function (Ruby on Rails)
        https://bugzilla.redhat.com/show_bug.cgi?id=731435
  [ 4 ] Bug #731438 - CVE-2011-2930 rubygem-activerecord: SQL injection vulnerability in quote_table_name (Ruby on Rails)
        https://bugzilla.redhat.com/show_bug.cgi?id=731438
  [ 5 ] Bug #744706 - CVE-2010-3933 rubygem-activerecord: Improper nested attributes management
        https://bugzilla.redhat.com/show_bug.cgi?id=744706
  [ 6 ] Bug #921329 - CVE-2013-1854 rubygem-activerecord: attribute_dos Symbol DoS vulnerability
        https://bugzilla.redhat.com/show_bug.cgi?id=921329
--------------------------------------------------------------------------------

This update can be installed with the "yum" update programs.  Use
su -c 'yum update rubygem-activerecord' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora EPEL GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the epel-package-announce mailing list