Bug 1065520 (CVE-2014-0081)
| Summary: | CVE-2014-0081 rubygem-actionpack: number_to_currency, number_to_percentage and number_to_human XSS vulnerability | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> | ||||||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | |||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | medium | ||||||||||
| Version: | unspecified | CC: | apevec, athomas, ayoung, bdunne, bgollahe, bkearney, bleanhar, ccoleman, chrisw, cpelland, dajohnso, dmcphers, drieden, gkotton, hhorak, jfrey, jialiu, jrafanie, lhh, lmeyer, markmc, mmaslano, mmccune, mmcgrath, mpovolny, nobody+bgollahe, obarenbo, rbryant, sclewis, security-response-team, srevivo, tdawson, vondruch, xlecauch | ||||||||
| Target Milestone: | --- | Keywords: | Security | ||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | rubygem-actionpack 3.2.17, rubygem-actionpack 4.0.3, rubygem-actionpack 4.1.0.beta2 | Doc Type: | Bug Fix | ||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2019-06-08 02:31:39 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | 1065587, 1065588, 1065589, 1065590, 1065591, 1065592, 1065593, 1065891, 1066666, 1165362 | ||||||||||
| Bug Blocks: | 1065543 | ||||||||||
| Attachments: |
|
||||||||||
|
Description
Kurt Seifried
2014-02-14 20:41:07 UTC
Created attachment 863436 [details]
3-2-number_helpers_xss.patch
Created attachment 863437 [details]
4-0-number_helpers_xss.patch
Created attachment 863438 [details]
4-1-beta-number_helpers_xss.patch
Acknowledgements: Red Hat would like to thank the Ruby on Rails Project for reporting this issue. Upstream acknowledges Kevin Reintjes as the original reporter. Created rubygem-actionpack tracking bugs for this issue: Affects: fedora-all [bug 1066666] Fixed upstream in 3.2.17, 4.0.3, and 4.1.0.beta2: http://weblog.rubyonrails.org/2014/2/18/Rails_3_2_17_4_0_3_and_4_1_0_beta2_have_been_released/ https://groups.google.com/forum/#!topic/ruby-security-ann/1PWnwW4jRkY Upstream commits (3.2, 4.0 and master): https://github.com/rails/rails/commit/eaa2101b294ef546cc3fb35cc3f49c73849ac470 https://github.com/rails/rails/commit/9e2d63d51a5e61bf1b0e7e369805aad84956cbe2 https://github.com/rails/rails/commit/08d0a11a3f62718d601d39e617c834759cf59bbb rubygem-activerecord-4.0.0-2.fc20, rubygem-actionpack-4.0.0-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in following products: CloudForms Management Engine 5.x Via RHSA-2014:0215 https://rhn.redhat.com/errata/RHSA-2014-0215.html This issue has been addressed in following products: Red Hat Software Collections for RHEL-6 Via RHSA-2014:0306 https://rhn.redhat.com/errata/RHSA-2014-0306.html Statement: Red Hat OpenShift Enterprise 1.2 is now in Production 1 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat OpenShift Enterprise Life Cycle: https://access.redhat.com/site/support/policy/updates/openshift. |