An object leak vulnerability for wildcard controllers in Action Pack was reported. Users that have a route that contains the string ":controller" are susceptible to objects being leaked globally which can lead to unbounded memory growth. External References: https://groups.google.com/forum/#!msg/rubyonrails-security/dthJ5wL69JE/YzPnFelbFQAJ http://weblog.rubyonrails.org/2016/1/25/Rails-5-0-0-beta1-1-4-2-5-1-4-1-14-1-3-2-22-1-and-rails-html-sanitizer-1-0-3-have-been-released/
Created rubygem-actionpack tracking bugs for this issue: Affects: fedora-all [bug 1301983]
Upstream commit: 4.1 https://github.com/rails/rails/commit/98629dfcce8d5ac2b97d0efece41b686daef8f02 4.2 https://github.com/rails/rails/commit/710c5ce91acd8b4277dc105e60bc5bda90ccbd8a
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2016:0296 https://rhn.redhat.com/errata/RHSA-2016-0296.html
rubygem-actionpack-4.2.0-3.fc22, rubygem-activemodel-4.2.0-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
rubygem-actionpack-4.2.3-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Via RHSA-2016:0454 https://rhn.redhat.com/errata/RHSA-2016-0454.html