[SECURITY] Fedora 11 Update: rubygem-activesupport-2.3.3-2.fc11

updates at fedoraproject.org updates at fedoraproject.org
Fri Sep 25 20:06:42 UTC 2009


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2009-9922
2009-09-25 19:42:00
--------------------------------------------------------------------------------

Name        : rubygem-activesupport
Product     : Fedora 11
Version     : 2.3.3
Release     : 2.fc11
URL         : http://www.rubyonrails.org
Summary     : Support and utility classes used by the Rails framework
Description :
Utility library which carries commonly used classes and
goodies from the Rails framework

--------------------------------------------------------------------------------
Update Information:

A vulnerability is found on Ruby on Rails in the escaping code for the form
helpers, which also affects the rpms shipped in Fedora Project. Attackers who
can inject deliberately malformed unicode strings into the form helpers can
defeat the escaping checks and inject arbitrary HTML. This issue has been tagged
as CVE-2009-3009.    These new rpms will fix this issue.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Sep 23 2009 Mamoru Tasaka <mtasaka at ioa.s.u-tokyo.ac.jp> - 2.3.3-2
- Patch for CVE-2009-3009 (bug 520843)
* Sun Jul 26 2009 Jeroen van Meeuwen <j.van.meeuwen at ogd.nl> - 2.3.3-1
- New upstream version
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #520843 - CVE-2009-3009 ruby-activesupport: XSS vulnerability
        https://bugzilla.redhat.com/show_bug.cgi?id=520843
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update rubygem-activesupport' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
--------------------------------------------------------------------------------




More information about the package-announce mailing list