An update for ror40-rubygem-actionpack is now available for Red Hat SoftwareCollections.Red Hat Product Security has rated this update as having a security impact ofModerate.

A Common Vulnerability Scoring System (CVSS) base score, which gives adetailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
Ruby on Rails is a model-view-controller (MVC) framework for web applicationdevelopment.

Action Pack implements the controller and the view components.Security Fix(es):* It was discovered that Action View tag helpers did not escape quotes whenusing strings declared as HTML safe as attribute values.

A remote attacker coulduse this flaw to conduct a cross-site scripting (XSS) attack. (CVE-2016-6316)Red Hat would like to thank the Ruby on Rails project for reporting this issue.Upstream acknowledges Andrew Carpenter (Critical Juncture) as the originalreporter.
For details on how to apply this update, which includes the changes described inthis advisory, refer to:https://access.redhat.com/articles/11258All running applications using ror40-rubygem-actionpack must be restarted forthis update to take effect.Red Hat Software Collections 1 for RHEL 6

SRPMS:
ror40-rubygem-actionpack-4.0.2-8.el6.src.rpm
    MD5: c939350dc3472f96905a255cb2d6c413SHA-256: 11d637857d1e352b60f2c3f49f406dd5326fe535a02a3fbefd92f53ff427d20b
 
x86_64:
ror40-rubygem-actionpack-4.0.2-8.el6.noarch.rpm
    MD5: 3aac3e34c78e048ad522098cb97c666eSHA-256: 53be2256eed41bf380869753b6a70328b81518af7756f602fbd9463178f8d6e2
ror40-rubygem-actionpack-doc-4.0.2-8.el6.noarch.rpm
    MD5: 1b7835e382cbfeec2245e70a23db18dfSHA-256: 9c1ecdd449c326a053ddc4dd5e5f66b80cb8ff5ccb39744405aa64b85fe64abf
 
Red Hat Software Collections 1 for RHEL 7

SRPMS:
ror40-rubygem-actionpack-4.0.2-8.el7.src.rpm
    MD5: 34def467239786a07dfcee6115f60cf4SHA-256: 7f7c384c5bf1d4fd9574b198632b3ebc3df2829c2e58587d3a1f785324ede34f
 
x86_64:
ror40-rubygem-actionpack-4.0.2-8.el7.noarch.rpm
    MD5: 51394957f33a0025df0291afc29a2480SHA-256: febf41843c3a841f4a4d44d6a6eeab58cf1c387339e6cddc5b784a372dc1f141
ror40-rubygem-actionpack-doc-4.0.2-8.el7.noarch.rpm
    MD5: 7364785d4b8166e131c6e13e3bc45576SHA-256: db348b658925ac3d2f31103ac8c93f320774a4c900691615f4ff413bfcac2c10
 
(The unlinked packages above are only available from the Red Hat Network)

1365008 – CVE-2016-6316 rubygem-actionview: cross-site scripting flaw in Action View

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

Leave a Reply