Updated ruby-rails and associated packages fix multiple vulnerabilities
Publication date: 24 Apr 2014Modification date: 24 Apr 2014
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-0080 , CVE-2014-0081
Description
Updated ruby-activerecord and ruby-actionpack packages fix security
vulnerabilities:
There is a data injection vulnerability in Active Record. Specially crafted
strings can be used to save data in PostgreSQL array columns that may not be
intended (CVE-2014-0080).
There is an XSS vulnerability in the number_to_currency, number_to_percentage
and number_to_human helpers in Ruby on Rails (CVE-2014-0081).
The associated packages have been updated to version 4.0.3 to fix these
issues.
References
- https://lists.fedoraproject.org/pipermail/package-announce/2014-March/129715.html
- https://lists.fedoraproject.org/pipermail/package-announce/2014-March/129716.html
- http://weblog.rubyonrails.org/2014/2/18/Rails_3_2_17_4_0_3_and_4_1_0_beta2_have_been_released/
- https://bugs.mageia.org/show_bug.cgi?id=12896
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0080
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0081
SRPMS
4/core
- ruby-actionmailer-4.0.3-1.mga4
- ruby-actionpack-4.0.3-1.mga4
- ruby-activemodel-4.0.3-1.mga4
- ruby-activerecord-4.0.3-1.mga4
- ruby-activesupport-4.0.3-1.mga4
- ruby-rails-4.0.3-1.mga4
- ruby-railties-4.0.3-1.mga4