SUSE-SU-2012:0366-1: moderate: Security update for rubygem-actionpack

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Tue Mar 13 20:08:23 MDT 2012 

   SUSE Security Update: Security update for rubygem-actionpack
______________________________________________________________________________

Announcement ID:    SUSE-SU-2012:0366-1
Rating:             moderate
References:         #668817 #712057 #712058 #712060 #712062 
Affected Products:
                    SUSE Linux Enterprise Software Development Kit 11 SP2
                    SUSE Linux Enterprise Software Development Kit 11 SP1
______________________________________________________________________________

   An update that contains security fixes can now be installed.

Description:


   Ruby on Rails 2.1 received some security fixes.

   The following security issues have been fixed:

   rubygem-actionpack-2_1:

   * properly encode special html chars from strings with
   malformed unicode CVE-2011-2932
   * properly encode \r\n in the content-type header
   CVE-2011-3186
   * properly strip tags from strings with specially
   crafted values CVE-2011-2931
   * XSS Risk with mail_to (CVE-2011-0446)
   * CSRF Vulnerability in protect_from_forgery:
   (CVE-2011-0447)

   rubygem-activerecord-2_1:

   * fix vulnerability in the quote_table_name method
   which could allow malicious users to inject arbitrary SQL
   into a query (CVE-2011-2930)


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Software Development Kit 11 SP2:

      zypper in -t patch sdksp1fsp2-rubygem-actionpack-2_1-5875

   - SUSE Linux Enterprise Software Development Kit 11 SP1:

      zypper in -t patch sdksp1-rubygem-actionpack-2_1-5875

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64):

      rubygem-actionpack-2_1-2.1.2-1.12.2
      rubygem-activerecord-2_1-2.1.2-1.4.5

   - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 ppc64 s390x x86_64):

      rubygem-actionpack-2_1-2.1.2-1.12.2
      rubygem-activerecord-2_1-2.1.2-1.4.5


References:

   https://bugzilla.novell.com/668817
   https://bugzilla.novell.com/712057
   https://bugzilla.novell.com/712058
   https://bugzilla.novell.com/712060
   https://bugzilla.novell.com/712062
   http://download.novell.com/patch/finder/?keywords=d47da4fd99cc8c7e9247d0c8c2fe1323

More information about the sle-security-updates mailing list