Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.2040
rails security update
26 August 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: rails
Publisher: Debian
Operating System: Debian GNU/Linux 8
UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2016-6316
Original Bulletin:
http://www.debian.org/security/2016/dsa-3651
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running rails check for an updated version of the software for their
operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3651-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
August 25, 2016 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : rails
CVE ID : CVE-2016-6316
Debian Bug : 834155
Andrew Carpenter of Critical Juncture discovered a cross-site scripting
vulnerability affecting Action View in rails, a web application
framework written in Ruby. Text declared as "HTML safe" will not have
quotes escaped when used as attribute values in tag helpers.
For the stable distribution (jessie), this problem has been fixed in
version 2:4.1.8-1+deb8u4.
For the unstable distribution (sid), this problem has been fixed in
version 2:4.2.7.1-1.
We recommend that you upgrade your rails packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXvxiDAAoJEAVMuPMTQ89E23wP/Rp7Mu2GiYIl5MUPDG9o9rvG
H2kJ48UAB4SLZzeLAZ2LB39hRDUuSeRGMjGI6D8G8WWVOlukcF+UKwDcjnzThw7W
5yhfwCTYRlCwGlaM2ECMB90uSlqR31Bpgo4kkZ9myi6HpxZaUAXTKH6kGi1KUn+I
akkkLEJtKrd4p8rBV1ca/s/ONx7POig6a5K01ktBtMcwK6ZxePvKuUmJYpUpmkxT
iv+frqeNJfDZmSmHsuXf2wCmUuiNXFk/GHmuNko5QC/dzVVvDLvIc3ULvhpkGVpy
u6/VBJS8JL4wxnJH1WbJsCqCd/5SZqpUh4/lUwPQeKJDBl6ytfofKR32uE4EyiLD
gIw/WaT/3wkaOyTd6y/yTWiHkQlNlaew5QC4akJ7WNv1QAKeAqy700O+pTYjvdZy
Dvj3mnRLC6IK2xaP4//bATHrfSoz6rC0VZ6nlKVY+3dXQRnBMkIohJ1ivKh1gmMA
I5EPfbIpwvKog54uBgTCNnjcvrdQHVoNcph7+dgl2hkcmw+YALPQ3QrQpGMaSArc
bKw5BqPxr/fdFdq13I8njIKBpSROfzFZBQ0fq7YBsHLKlg1uPx0sMRMdFavbOsv9
rV6CuCL7Fg/tc3Of2kK+tdpTKQlfP/wKneXBHbo4+i7JrpHTVbjmZ6U6oO6+9wwn
vXYV3DKz8io569rD+QPZ
=akwG
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBV7+bcox+lLeg9Ub1AQhk4g/9G7ocshtgA/kgKelbziyL3kpvYQ1Y6Bqw
dOFpjTJ8ynf1jZtLGYMXR7NsacQBoOt88XpLICH2YHDOX7qwBY7/B7+b/EGI5cAR
KL/AyKnJiuph9+uFBUo/+ZkHyUf12hklCmB19ZKIgOo6oFjrQfZNQVhi8EZVHjSv
QKM0rydL5v7fw+YAEQmjmVqoB7DolnAiLTGRLYGaYQEGsIwN6A4fJO5vEo/CjR5l
UbyUb4Ob6E+Qgv1RYgE/awvJjOk257ovQWSNOz/YJfXgUO8/eBVGFmsdde3zv8ZB
Q09No5ByqJtWsp1wJBAnF3pvdcbKyxG/RwZfx4o7xS1z7a6b3D9BObMcghsrYTr3
LjHr3ChAqFEh1GsHJAbTfYFD53M6iYQCQtQMcj+gg5oqAPBzy8NAneZmjWLCDAq9
AUywmyDpNA3TlMMzsusKLUw5jGRjCxBlGGQe3tv3mxo0WKhV91DUxDDPh9zu5mIZ
QRmE2AAmIPdG3C5W7W/ItZ4ccq2P1Dn/ToscQsrCwQN8rV9pxvj8YLLmvACFoJCC
9Qaptxx5syjzVcQqEeUuzie2OXc4+aNpnmW6KKRih38r80ooqSFrhF4GMgHykEqJ
6ysUDSV9qar3dnCrmWh8Z1LQmSy4aC7YPhGjXKhs/bmXv/swQrxQ21VnnGe4dQOy
kqKhvEU6ZTQ=
=PYUm
-----END PGP SIGNATURE-----