oss-sec mailing list archives
Re: CVE request: ruby on rails flaws (4)
From: Vincent Danen <vdanen () redhat com>
Date: Sat, 20 Aug 2011 00:29:55 -0400 (EDT)
Sorry, there is one more flaw that needs a CVE assignment: Response splitting flaw in 2.3.x (3.0.0 and later not affected). http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6ffc93bde0298768 https://github.com/rails/rails/commit/11dafeaa7533be26441a63618be93a03869c83a9 https://bugzilla.redhat.com/show_bug.cgi?id=732156 Sorry I missed this one earlier, I was looking at the 3.x advisory page and missed this one. ----- Original Message -----
----- Original Message -----Could we get CVEs assigned to these flaws? Upstream had requested CVEs prior to disclosure, but didn't receive any. http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6 1) Filter Skipping bugs http://groups.google.com/group/rubyonrails-security/browse_thread/thread/3420ac71aed312d6 https://github.com/rails/rails/commit/5f94b93279f6d0682fafb237c301302c107a9552 https://bugzilla.redhat.com/show_bug.cgi?id=731432Use CVE-2011-29292) SQL Injection issues http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b https://github.com/rails/rails/commit/8a39f411dc3c806422785b1f4d5c7c9d58e4bf85 https://bugzilla.redhat.com/show_bug.cgi?id=731438Use CVE-2011-29303) Parse error in strip_tags http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12 https://github.com/rails/rails/commit/586a944ddd4d03e66dea1093306147594748037a https://bugzilla.redhat.com/show_bug.cgi?id=731436Use CVE-2011-29314) UTF-8 escaping vulnerability http://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195 https://github.com/rails/rails/commit/bfc432574d0b141fd7fe759edfe9b6771dd306bd https://bugzilla.redhat.com/show_bug.cgi?id=731435Use CVE-2011-2932
-- Vincent Danen / Red Hat Security Response Team
Current thread:
- CVE request: ruby on rails flaws (4) Vincent Danen (Aug 17)
- Re: CVE request: ruby on rails flaws (4) Josh Bressers (Aug 19)
- Re: CVE request: ruby on rails flaws (4) Vincent Danen (Aug 19)
- Re: CVE request: ruby on rails flaws (4) Josh Bressers (Aug 22)
- Re: CVE request: ruby on rails flaws (4) Matthias Weckbecker (Aug 22)
- Re: CVE request: ruby on rails flaws (4) Josh Bressers (Aug 22)
- Re: CVE request: ruby on rails flaws (4) Vincent Danen (Aug 19)
- Re: CVE request: ruby on rails flaws (4) Josh Bressers (Aug 19)