Hide Forgot
An XSS vulnerability in the strip_tags helper in Ruby on Rails was reported [1] where, using specially crafted output, an attacker can successfully inject HTML into the document, which can be used to inject arbitrary javascript into the rendered page. This is corrected in upstream 3.0.10, 2.3.13, and 3.1.0rc5 versions. Patches are available in the advisory [1] and in git [2]. [1] http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12 [2] https://github.com/rails/rails/commit/586a944ddd4d03e66dea1093306147594748037a
This flaw is rubygem-actionpack, not rubygem-rails.
Created rubygem-actionpack tracking bugs for this issue Affects: fedora-all [bug 731448] Affects: epel-5 [bug 677629]
This issue has been assigned the name CVE-2011-2931: http://www.openwall.com/lists/oss-security/2011/08/19/11
This issue has been addressed in Fedora-14, Fedora-15 and upcoming Fedora-16 via the following advisories: fedora-14: https://admin.fedoraproject.org/updates/rubygem-actionpack-2.3.8-4.fc14 fedora-15: https://admin.fedoraproject.org/updates/rubygem-actionpack-3.0.5-4.fc15 fedora-16: https://admin.fedoraproject.org/updates/rubygem-activesupport-3.0.10-1.fc16,rubygem-activemodel-3.0.10-1.fc16,rubygem-activerecord-3.0.10-1.fc16,rubygem-activeresource-3.0.10-1.fc16,rubygem-actionpack-3.0.10-1.fc16,rubygem-actionmailer-3.0.10-1.fc16,rubygem-railties-3.0.10-1.fc16,rubygem-rails-3.0.10-1.fc16