An update for rh-ror42-rubygem-actionview, rh-ror42-rubygem-activerecord, andrh-ror42-rubygem-actionpack is now available for Red Hat Software Collections.Red Hat Product Security has rated this update as having a security impact ofModerate.

A Common Vulnerability Scoring System (CVSS) base score, which gives adetailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
Ruby on Rails is a model-view-controller (MVC) framework for web applicationdevelopment.

Action View implements the view component, and Active Recordimplements the model component.Security Fix(es) in rubygem-actionview:* It was discovered that Action View tag helpers did not escape quotes whenusing strings declared as HTML safe as attribute values.

A remote attacker coulduse this flaw to conduct a cross-site scripting (XSS) attack. (CVE-2016-6316)Security Fix(es) in rubygem-activerecord:* A flaw was found in the way Active Record handled certain special values indynamic finders and relations.
If a Ruby on Rails application performed JSONparameter parsing, a remote attacker could possibly manipulate search conditionsin SQL queries generated by the application. (CVE-2016-6317)Red Hat would like to thank the Ruby on Rails project for reporting theseissues. Upstream acknowledges Andrew Carpenter (Critical Juncture) as theoriginal reporter of CVE-2016-6316; and joernchen (Phenoelit) as the originalreporter of CVE-2016-6317.
Red Hat Software Collections 1 for RHEL 7

SRPMS:
rh-ror42-rubygem-actionpack-4.2.6-3.el7.src.rpm
    MD5: c50cbf87e1bd63261cad8fe9833e50e9SHA-256: 7384ebd9015a9b216da8a0561d51036ffa3f92faef150d36f62c7b4d6b0a828c
rh-ror42-rubygem-actionview-4.2.6-3.el7.src.rpm
    MD5: e64853061e2dd999a1094fe6aba37cc5SHA-256: bf70b0a4078e18700ed62a416ff8040a258cf67231f0bcc91c77ac8bb14c1cab
rh-ror42-rubygem-activerecord-4.2.6-3.el7.src.rpm
    MD5: a5ff14754e8de4c36ca5f1079b1a2b7cSHA-256: 9122e67bf0d71cc1659257c6c2a3bf97cabb9d458008c7e4a7efa7c33256d170
 
x86_64:
rh-ror42-rubygem-actionpack-4.2.6-3.el7.noarch.rpm
    MD5: ae23ed758875cd84c302875c454dd6f1SHA-256: ab11f8945c8556866fbcb4bf936ae854f46c3dad1f5bc60649ee199028f44963
rh-ror42-rubygem-actionpack-doc-4.2.6-3.el7.noarch.rpm
    MD5: 05f2850eb6c526b86e665fcee48747caSHA-256: a1f87280999fe1c45d1fa7058177aa2a9425f7e58b16fb00d25c0d63ea17bb8b
rh-ror42-rubygem-actionview-4.2.6-3.el7.noarch.rpm
    MD5: 81116847972d5dc609df06c32a73ba5cSHA-256: 18061af4622d95919b161e92db30ef2f01a043792d75ee313b8018fd6d47f985
rh-ror42-rubygem-actionview-doc-4.2.6-3.el7.noarch.rpm
    MD5: 0f8e67d5cdce117372f8deb35a91c6c6SHA-256: 5ef9c152a0494073fd063c8bf5cb0dbc3b075c0544ea55530ec311ab4af3ba02
rh-ror42-rubygem-activerecord-4.2.6-3.el7.noarch.rpm
    MD5: 57f7fb7613fd07afeab0bc49d6cd1edfSHA-256: 47c5a4ebd88de277f914bcbcc54dea910d81026da6cffab3d48051eb2a0cce46
rh-ror42-rubygem-activerecord-doc-4.2.6-3.el7.noarch.rpm
    MD5: 723ece410faaee9f4a1d38b005dfa5b3SHA-256: 22a3d12952ac5f957cf2fc1890f51f531e1063e701640d19b9c9e5c8e942207c
 
(The unlinked packages above are only available from the Red Hat Network)

1365008 – CVE-2016-6316 rubygem-actionview: cross-site scripting flaw in Action View1365017 – CVE-2016-6317 rubygem-activerecord: unsafe query generation in Active Record

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

Leave a Reply