[Frugalware-security] [ FSA-250 ] activesupport

voroskoi noreply at frugalware.org
Fri Aug 17 22:49:35 CEST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frugalware Security Advisory                           FSA-250

Date: 2007-08-17
Package: activesupport
Vulnerable versions: <= 1.4.1-1
Unaffected versions: >= 1.4.1-2terminus1
Related bugreport: http://bugs.frugalware.org/task/2200
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3227

Description
===========

BCC has reported a vulnerability in Ruby on Rails, which can be exploited by malicious people to conduct cross-site scripting attacks.
Input passed to the &quot;to_json&quot; function is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Updated Packages
================

Check if you have activesupport installed:

	# pacman-g2 -Q activesupport

If found, then you should upgrade to the latest version:

	# pacman-g2 -Sy activesupport

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: See http://ftp.frugalware.org/pub/README.GPG for info

iD8DBQFGxgnfZ7NElSD1VhkRAr5nAJ96U33EaI8Oxz1PZvRxBnor4P3JKQCfeAwI
vBxQIcmFlVbcKgEzuw/G924=
=5+VT
-----END PGP SIGNATURE-----


More information about the Frugalware-security mailing list