Updated rh-ror41-rubygem-actionpack, rh-ror41-rubygem-actionview,rh-ror41-rubygem-activemodel, and rh-ror41-rubygem-activerecord packagesthat fix multiple security issues are now available for Red Hat SoftwareCollections.Red Hat Product Security has rated this update as having Important securityimpact.

Common Vulnerability Scoring System (CVSS) base scores, which givedetailed severity ratings, are available for each vulnerability from theCVE links in the References section.
The rh-ror41 collection provides Ruby on Rails version 4.1. Ruby on Railsis a model-view-controller (MVC) framework for web application development.The following issue was corrected in rubygem-actionpack andrubygem-actionview:A directory traversal flaw was found in the way the Action View componentsearched for templates for rendering.
If an application passed untrustedinput to the ‘render’ method, a remote, unauthenticated attacker could usethis to render unexpected files and, possibly, execute arbitrary code.(CVE-2016-0752)The following issues were corrected in rubygem-actionpack:A flaw was found in the way the Action Pack component performed MIME typelookups. Since queries were cached in a global cache of MIME types, anattacker could use this flaw to grow the cache indefinitely, potentiallyresulting in a denial of service. (CVE-2016-0751)A flaw was found in the Action Pack component’s caching of controllerreferences.

An attacker could use this flaw to cause unbounded memorygrowth, potentially resulting in a denial of service. (CVE-2015-7581)A flaw was found in the way the Action Controller component compared usernames and passwords when performing HTTP basic authentication.

Time takento compare strings could differ depending on input, possibly allowing aremote attacker to determine valid user names and passwords using a timingattack. (CVE-2015-7576)The following issue was corrected in rubygem-activerecord:A flaw was found in the Active Record component’s handling of nestedattributes in combination with the destroy flag.

An attacker could possiblyuse this flaw to set attributes to invalid values or clear all attributes.(CVE-2015-7577)The following issue was corrected in rubygem-activemodel andrubygem-activerecord:A flaw was found in the way the Active Model based models processedattributes.

An attacker with the ability to pass arbitrary attributes tomodels could possibly use this flaw to bypass input validation.(CVE-2016-0753)Red Hat would like to thank the Ruby on Rails project for reporting theseissues. Upstream acknowledges John Poulin as the original reporter ofCVE-2016-0752, Aaron Patterson of Red Hat as the original reporter ofCVE-2016-0751, Daniel Waterworth as the original reporter of CVE-2015-7576,Justin Coyne as the original reporter of CVE-2015-7577, and John Backusfrom BlockScore as the original reporter of CVE-2016-0753.All rh-ror41 collection rubygem-actionpack, rubygem-actionview,rubygem-activemodel, and rubygem-activerecord packages users are advised toupgrade to these updated packages, which contain backported patches tocorrect these issues.

All running applications using the rh-ror41collection must be restarted for this update to take effect.
Before applying this update, make sure all previously released erratarelevant to your system have been applied.For details on how to apply this update, refer to:https://access.redhat.com/articles/11258Red Hat Software Collections 1 for RHEL 6

SRPMS:
rh-ror41-rubygem-actionpack-4.1.5-3.el6.src.rpm
    MD5: 8602ef9abde7a96935c198e9a895d21bSHA-256: 08adb916b54200656ed19543a609818ad89f6a9a7bbcd205ffb4a63486b4cc77
rh-ror41-rubygem-actionview-4.1.5-4.el6.src.rpm
    MD5: a9e0ae684db451cc264de30d992df33dSHA-256: 17685a37b6c3789dc3896f4b1bc18720ddbb5f3dcb61092882c3064e4b043065
rh-ror41-rubygem-activemodel-4.1.5-2.el6.src.rpm
    MD5: 0207638989c4edb5b88b5849fe2b2110SHA-256: fb3090ff8d58107c7f159fd51992f8c8f801fd82ba2e76e626c701500101ce19
rh-ror41-rubygem-activerecord-4.1.5-2.el6.src.rpm
    MD5: be3eb51dab72eba90a4529e10f70dc9dSHA-256: d9a14ffdccfada579c2020393592a5dd821ae9f2d76915be9bdc0d671c2aee2e
rh-ror41-rubygem-activesupport-4.1.5-3.el6.src.rpm
    MD5: 80f2ec203c1312420b5cebbe1ff0fe92SHA-256: d2ddea76fca7f653c631b9f58be2d4feef8872b897f34571ad8aa907c1f767ff
 
x86_64:
rh-ror41-rubygem-actionpack-4.1.5-3.el6.noarch.rpm
    MD5: 199c46bd566f35f7f01c4de6dd3db337SHA-256: c0dd21c413bd6a3bc1cf6110349510bbc5c516bfdb7769c819449a9a2c9713c7
rh-ror41-rubygem-actionpack-doc-4.1.5-3.el6.noarch.rpm
    MD5: d8b3723f2e3dc2751d07ec15955a1236SHA-256: 6ef0f8b7c3d67c477abaadd82da8c4cce5a2062e3af102881e132b5c63bbf34f
rh-ror41-rubygem-actionview-4.1.5-4.el6.noarch.rpm
    MD5: ba08e72e91f30f6f3ad1e59782fde422SHA-256: 34938ebb5c7eb403222eeef0d74f6215308bb8e9962d9b015dc0cfda77e34f7e
rh-ror41-rubygem-actionview-doc-4.1.5-4.el6.noarch.rpm
    MD5: 5c5456e7696414ba5e6864a8fc3d9dd3SHA-256: 0fbbe90564f3560191fb448852587986aa86024d13f2b8deac4dbd4ed98d929c
rh-ror41-rubygem-activemodel-4.1.5-2.el6.noarch.rpm
    MD5: baf7570f93a7bfbbc24c7d7cfedcd453SHA-256: dda9fc41d9b78772df531a24496f872f0697a1ff9d81ef6972cd5ebcc50d9241
rh-ror41-rubygem-activemodel-doc-4.1.5-2.el6.noarch.rpm
    MD5: 9137c7d86f813118d94a51a1f3bb67a9SHA-256: e75fe5c224e63f55d58fe26a0591096590153a1c535a766068a6fdd5dace514e
rh-ror41-rubygem-activerecord-4.1.5-2.el6.noarch.rpm
    MD5: a997fbc0ef4577a80f1ca344c45656caSHA-256: 09427d49ab14fc1a537e3e07a8bfc4cc358443bc61dcd2e8043161f85262aa43
rh-ror41-rubygem-activerecord-doc-4.1.5-2.el6.noarch.rpm
    MD5: 600522a2587a585429cbf3ef83758290SHA-256: 0df9007f76284a593d1fe7e2aec97b05b7b83bd68ee6ed9bbe28cc08bebe675c
rh-ror41-rubygem-activesupport-4.1.5-3.el6.noarch.rpm
    MD5: 85f9b8b66bcfa3038c9f205ab8cdb5e3SHA-256: 06732a6a74fb421119f5dbae07bdffc3704b0a672aeb530e243f9e42c40f1f77
 
Red Hat Software Collections 1 for RHEL 7

SRPMS:
rh-ror41-rubygem-actionpack-4.1.5-3.el7.src.rpm
    MD5: dca981c834df77c7c4fb682c10da871aSHA-256: 3a688a5d5e85c411eb1f91bceb70bd690c8c4cd938d19b9ae10f9c55a09fb8b1
rh-ror41-rubygem-actionview-4.1.5-4.el7.src.rpm
    MD5: 454edef5ae08fab862f14ea1c4fa92c9SHA-256: 1685edfa52a270d72702950ff7c8040ae26cb994ad86e2613440e9b52504404e
rh-ror41-rubygem-activemodel-4.1.5-2.el7.src.rpm
    MD5: 0c1ec934aba7f1e2f6ba26df66ae7313SHA-256: 6fb6c4cbb30083c00564ee30d687a2df3ec8ae7756da231aed799b5c4c61976a
rh-ror41-rubygem-activerecord-4.1.5-2.el7.src.rpm
    MD5: 633d9dbf6356161b891f411ca96d8af6SHA-256: 79968155e5beb077ae5219817bbfd869c958d3b9c54aaeec755d91daaab4cffd
rh-ror41-rubygem-activesupport-4.1.5-3.el7.src.rpm
    MD5: 54e528dc98f39ad644323bf297f62eb5SHA-256: 2752ee6a50e4c6a563fd63dc2e6ba998cbbc24842d905b48a75e472c182e9df4
 
x86_64:
rh-ror41-rubygem-actionpack-4.1.5-3.el7.noarch.rpm
    MD5: b44d08441f3a590411fa73bc06b67a9cSHA-256: 9fce2d6e94db6a7af906cc6e3b9922b5c97e29151d83444daaf972cfd76b4605
rh-ror41-rubygem-actionpack-doc-4.1.5-3.el7.noarch.rpm
    MD5: 21fc316de7e78bb650e60e8712011fc1SHA-256: cf0c2bd64af9c87789625b2890343cee17e1f6a23997be445dbfc87b10bf3004
rh-ror41-rubygem-actionview-4.1.5-4.el7.noarch.rpm
    MD5: 8722d02d6948bba79a954b7f82e3675dSHA-256: da5393e7496f65b0a45bd20251705bc105eb984b1572c23083aeb822f4643261
rh-ror41-rubygem-actionview-doc-4.1.5-4.el7.noarch.rpm
    MD5: 300b135090a2035a2b5a798027b5931fSHA-256: dd661ab32aa56ce106807cea47c1389d0f3ad3d5e39b489c1e4baa6e30d6c9a4
rh-ror41-rubygem-activemodel-4.1.5-2.el7.noarch.rpm
    MD5: 21e8c313067beab532cc487ce24adedfSHA-256: a29fa07c58b8c792adc01042ea8eb435f2818c5982eedce8026e93e1013718f5
rh-ror41-rubygem-activemodel-doc-4.1.5-2.el7.noarch.rpm
    MD5: 8cb3f7cecb0ea52d1a1edc88ea06c17bSHA-256: 7bfa35a5227dc553f615b45cd4c99bab4f9426c9c54d773aff677d69e5576fc5
rh-ror41-rubygem-activerecord-4.1.5-2.el7.noarch.rpm
    MD5: 358c999cc68e5f295be37d1fd3c7e5bbSHA-256: 5f7337d3e75a3d8c247c2035ef78fa59564b866e464feb980c82e21a87205fd6
rh-ror41-rubygem-activerecord-doc-4.1.5-2.el7.noarch.rpm
    MD5: 2b3f63512065974e1e1cbda03a946777SHA-256: b26710e484e7cfe0ab1de70efb994b7a9778708bc16853300b1f4e83ef38254e
rh-ror41-rubygem-activesupport-4.1.5-3.el7.noarch.rpm
    MD5: 962e1ea2c56c6eac6ef59defcecd66f8SHA-256: 3029b266122289a982a5996571a61d4679ad813b5ac7e646d4d9f9e1225da402
 
(The unlinked packages above are only available from the Red Hat Network)

1301933 – CVE-2015-7576 rubygem-actionpack: Timing attack vulnerability in basic authentication in Action Controller1301946 – CVE-2016-0751 rubygem-actionpack: possible object leak and denial of service attack in Action Pack1301957 – CVE-2015-7577 rubygem-activerecord: Nested attributes rejection proc bypass in Active Record1301963 – CVE-2016-0752 rubygem-actionview, rubygem-actionpack: directory traversal flaw in Action View1301973 – CVE-2016-0753 rubygem-activemodel, rubygem-activerecord: possible input validation circumvention in Active Model1301981 – CVE-2015-7581 rubygem-actionpack: Object leak vulnerability for wildcard controller routes in Action Pack

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: