Ispravljeni propusti paketa rubygem-activerecord

U radu programskog paketa rubygem-activerecord uočen je sigurnosni propust. Udaljeni napadač ga može iskoristiti za proizvoljno izvršavanje HTML, SQL i skriptnog koda.

Paket:	rubygem-activerecord 3.x
Operacijski sustavi:	Fedora 16
Kritičnost:	7.5
Problem:	pogreška u programskoj komponenti, XSS
Iskorištavanje:	udaljeno
Posljedica:	pokretanje SQL koda, umetanje HTML i skriptnog koda
Rješenje:	programska zakrpa proizvođača
CVE:	CVE-2011-2931, CVE-2011-2929, CVE-2011-2930, CVE-2011-2932
Izvorni ID preporuke:	FEDORA-2011-11386
Izvor:	Fedora

Problem:
Problemi sigurnosti se javljaju zbog više XSS ranjivosti, SQL injekcije te zbog pogrešaka u komponenti "actionpack/lib/action_view/template/resolver.rb".
Posljedica:
Udaljeni napadač ranjivosti može iskoristiti za proizvoljno pokretanje HTML, SQL i skriptnog koda.
Rješenje:
Rješenje problema sigurnosti je korištenje dostupnih zakrpa.

Izvorni tekst preporuke

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-11386
2011-08-23 13:28:29
--------------------------------------------------------------------------------

Name        : rubygem-activerecord
Product     : Fedora 16
Version     : 3.0.10
Release     : 1.fc16
URL         : http://www.rubyonrails.org
Summary     : Implements the ActiveRecord pattern for ORM
Description :
Implements the ActiveRecord pattern (Fowler, PoEAA) for ORM. It ties database
tables and classes together for business objects, like Customer or
Subscription, that can find, save, and destroy themselves without resorting to
manual SQL.

--------------------------------------------------------------------------------
Update Information:

Update to Rails 3.0.10 which fixes several security bugs.
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #731436 - CVE-2011-2931 rubygem-actionpack: XSS vulnerability in
strip_tags helper (Ruby on Rails)
        https://bugzilla.redhat.com/show_bug.cgi?id=731436
  [ 2 ] Bug #731432 - CVE-2011-2929 rubygem-actionpack: filter skipping
vulnerability (Ruby on Rails)
        https://bugzilla.redhat.com/show_bug.cgi?id=731432
  [ 3 ] Bug #731438 - CVE-2011-2930 rubygem-activerecord: SQL injection
vulnerability in quote_table_name (Ruby on Rails)
        https://bugzilla.redhat.com/show_bug.cgi?id=731438
  [ 4 ] Bug #731435 - CVE-2011-2932 rubygem-activesupport: XSS vulnerability in
escaping function (Ruby on Rails)
        https://bugzilla.redhat.com/show_bug.cgi?id=731435
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update rubygem-activerecord' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce

Ispravljeni propusti paketa rubygem-activerecord

Tražilica portala

Aktivnosti

O CIS-u

Posljednje vijesti

Posljednji dokumenti

Ispravljeni propusti paketa rubygem-activerecord

Tražilica portala

Aktivnosti

O CIS-u

Posljednje sigurnosne preporuke

Posljednje vijesti

Popularni članci

Posljednji dokumenti