Summary
Toby Hsieh, Peter McLarnan, Ankit Gupta, Sudhir Rao and Kevin Reintjes discovered multiple cross-site scripting and denial of service vulnerabilities in Ruby Actionpack.
Solution
For the stable distribution (wheezy), these problems have been fixed in version 3.2.6-6+deb7u1.
For the unstable distribution (sid), this problem has been fixed in version 3.2.16-3+0 of the rails-3.2 source package.
We recommend that you upgrade your ruby-actionpack-3.2 packages.
Insight
Action Pack is a framework for web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.
Affected
ruby-actionpack-3.2 on Debian Linux
Detection
This check tests the installed software version using the apt package manager.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2013-4389, CVE-2013-4491, CVE-2013-6414, CVE-2013-6415, CVE-2013-6417 -
CVSS Base Score: 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:N
Related Vulnerabilities