Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 6 Apr 2011 13:47:53 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley <coley@...re.org>
Subject: Re: CVE for ruby on rails XSS fixes

----- Original Message -----
> Hi,
> 
> Can someone assign a CVE for the XSS issue described in
> 
> https://github.com/rails/rails/blob/38df020c95beca7e12f0188cb7e18f3c37789e20/actionpack/CHANGELOG
> 

Here is the changelog text:

*Rails 3.0.6 (April 5, 2011)

* Fixed XSS vulnerability in `auto_link`.  `auto_link` no longer marks
  input as html safe.  Please make sure that calls to auto_link() are
  wrapped in a sanitize(), or a raw() depending on the type of input passed
  to auto_link().
  For example:

    <%= sanitize(auto_link(some_user_input)) %>

  Thanks to Torben Schulz for reporting this.  The fix can be found here:
  61ee3449674c591747db95f9b3472c5c3bd9e84d

Use CVE-2011-1497

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.