An update for rh-ror41-rubygem-actionview is now available for Red Hat SoftwareCollections.Red Hat Product Security has rated this update as having a security impact ofModerate.

A Common Vulnerability Scoring System (CVSS) base score, which gives adetailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
Ruby on Rails is a model-view-controller (MVC) framework for web applicationdevelopment.

Action View implements the view component.Security Fix(es):* It was discovered that Action View tag helpers did not escape quotes whenusing strings declared as HTML safe as attribute values.

A remote attacker coulduse this flaw to conduct a cross-site scripting (XSS) attack. (CVE-2016-6316)Red Hat would like to thank the Ruby on Rails project for reporting this issue.Upstream acknowledges Andrew Carpenter (Critical Juncture) as the originalreporter.
For details on how to apply this update, which includes the changes described inthis advisory, refer to: running applications using rh-ror41-rubygem-actionviewmust be restarted forthis update to take effect.Red Hat Software Collections 1 for RHEL 6

    MD5: 74616d2c924a40453aaea97be815b2a5SHA-256: 0c3c6105aed2fbdee442a7e21f461e3692f7c71b975ec5e20d02b539ce90c1fd
    MD5: 5c153d0fd057cdc75305d508a0329037SHA-256: 4081cd27d131861b6be99ddaa52ff940173513c45ef992eba4d1b08b5804bfcb
    MD5: 294434a51d3b814c387f06c295f2757aSHA-256: 84ace0dec7809de12583c1164d11d29deec77311e0adf8f630b0f5edd3496bf6
Red Hat Software Collections 1 for RHEL 7

    MD5: f29cefa044a601558ec05433c09073b4SHA-256: 8b5d5b581dedb3c9b974b4f99aaf207eb7480767b0ddd6401c0c96a03882ee26
    MD5: e831352df3446961f6a0c77b64367480SHA-256: 09b75dc1ef01d603646b7d6b7f28bbdf49a7706d30b6a441ffb0c792b2068da0
    MD5: 55fc5deccc3c87a546a96a9f52500ab3SHA-256: 9fb00575253bce7e97cd66ecac616e6e565f095ab21cb6576bbc668fd65fedc3
(The unlinked packages above are only available from the Red Hat Network)

1365008 – CVE-2016-6316 rubygem-actionview: cross-site scripting flaw in Action View

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

Leave a Reply