VUL-0: ruby on rails multiple vulnerabilities

This update of rails fixes the following security issues:

CVE-2011-2930 - SQL-injection in quote_table_name function
via specially crafted column names (bnc#712062)
CVE-2011-2931 - Cross-Site Scripting (XSS) in the
strip_tags helper (bnc#712057) CVE-2011-3186 - Response
Splitting (bnc#712058) CVE-2010-3933 - Arbitrary
modification of records via specially crafted form
parameters (bnc#712058) CVE-2011-0446 - Cross-Site
Scripting (XSS) in the mail_to helper (bnc#668817)
CVE-2011-0447 - Improper validation of 'X-Requested-With'
header (bnc#668817) CVE-2011-0448 - SQL-injection caused by
improperly sanitized arguments to the limit function
(bnc#668817) CVE-2011-0449 - Bypass of access restrictions
via specially crafted action names (bnc#668817)

Fixed bugs
bnc#712062
VUL-0: CVE-2011-2930: rubygem-rails: SQL Injection Vulnerability in quote_table_name
bnc#712057
VUL-0: CVE-2011-2931: rubygem-rails: XSS Vulnerability in strip_tags helper
bnc#712058
VUL-0: CVE-2011-3186: rubygem-rails: Response Splitting Vulnerability in Ruby on Rails
bnc#668817
VUL-0: ruby on rails multiple vulnerabilities
CVE#CVE-2011-2930
Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attacker
CVE#CVE-2011-2931
Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitr
CVE#CVE-2011-3186
CRLF injection vulnerability in actionpack/lib/action_controller/response.rb in Ruby on Rails 2.3.x before 2.3.13 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the Content-Type header.
CVE#CVE-2010-3933
Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs.
CVE#CVE-2011-0446
Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) e
CVE#CVE-2011-0447
Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks vi
CVE#CVE-2011-0448
Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument.
CVE#CVE-2011-0449
actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.4, when a case-insensitive filesystem is used, does not properly implement filters associated with the list of available templates, which allows remote attackers to bypass i
Selected Binaries
openSUSE Build Service is sponsored by