[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 2403-1] rails security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2403-1               debian-lts@lists.debian.org
https://www.debian.org/lts/security/                     Markus Koschany
October 09, 2020                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : rails
Version        : 2:4.2.7.1-1+deb9u4
CVE ID         : CVE-2020-15169
Debian Bug     : 970040

A potential Cross-Site Scripting (XSS) vulnerability was found in rails,
a ruby based MVC framework. Views that allow the user to control the
default (not found) value of the `t` and `translate` helpers could be
susceptible to XSS attacks. When an HTML-unsafe string is passed as the
default for a missing translation key named html or ending in _html, the
default string is incorrectly marked as HTML-safe and not escaped.

For Debian 9 stretch, this problem has been fixed in version
2:4.2.7.1-1+deb9u4.

We recommend that you upgrade your rails packages.

For the detailed security status of rails please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/rails

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl+AqgBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeR0LA/+Ptd34aOaPRYM4CDl/GQTpZLpL/92mnN/hf69y4I9Z4rKoNq3YyzLFWva
TVqs+Zv2DwBPhdUivihmgLe5vQEkIvyGMLKMpeAZfehlreATGomjuqc61WEAb70h
ux2ULLd7t5ICqPS0c0pILbXCcvRjvxu40tk7CvXNiC5thoDWLPCyEXCSI/4676eL
k7SN2oZtRXyk9MBlLU1idDDrYnJ+INrQdDWfAHM24ok2D49oo5WsoqVOG5Fvo09I
v714jKZTBRZn33SCEZOnKK0RPnXoFKV89wMRONPLvxD7KBdeSNN0TcP2LUOZKipr
0WGZui7GcxJYiuf6FpRVqQ/dI467Q+80pYmBPZmbssESSrlGAHPjgURa3mVeZim5
OFXzj1Q7G8Wc5JvthGkDoOWE7zqKT5j5wFjqC7f0jH74qx1TOKhwd3qV7GLTF7Hy
7b45ICYDaTlbm2+kD6gpn7xVuPGdd4avNfxYYOGKNHZmmymy4YpvTwhjvDI1n0qx
D0gjYEG8SQyQ+kHH7Un+7J+RBKFcfMCMNpmrEtB/bZAIc2oEIJI6EodWVGp9wZgM
Xaxpg0MAyQY7QKwzG9lodZCvkhqumAu/bugtrvO2CSRtf43fH+p6gXUDKpo6aFT+
rbO3Sh90P2A4xh6H522SsBqkqMx8gAu6tGazPRtIk80U37zA8kQ=
=QUA6
-----END PGP SIGNATURE-----


Reply to: