An update for ruby193-rubygem-actionpack is now available for Red Hat SoftwareCollections.Red Hat Product Security has rated this update as having a security impact ofModerate.

A Common Vulnerability Scoring System (CVSS) base score, which gives adetailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
Ruby on Rails is a model-view-controller (MVC) framework for web applicationdevelopment.

Action Pack implements the controller and the view components.Security Fix(es):* It was discovered that Action View tag helpers did not escape quotes whenusing strings declared as HTML safe as attribute values.

A remote attacker coulduse this flaw to conduct a cross-site scripting (XSS) attack. (CVE-2016-6316)Red Hat would like to thank the Ruby on Rails project for reporting this issue.Upstream acknowledges Andrew Carpenter (Critical Juncture) as the originalreporter.
For details on how to apply this update, which includes the changes described inthis advisory, refer to: running applications using ruby193-rubygem-actionpack must be restarted forthis update to take effect.Red Hat Software Collections 1 for RHEL 6

    MD5: ab9ff635ff75a193af9b515d6dd0ca0bSHA-256: 6351aec2367d020265b3e7064bbf35b74c504661290774e1f469d77395ba4478
    MD5: e761a24e9a868db75d7411cde1de758eSHA-256: d7e390332708491e0b8750f8d4a5952b8f0762203fe4da87f22cee878ffb9de1
    MD5: aa08ced0fdcb46299bc0f838be2a5ac2SHA-256: 92d76b515c4f4c36f374cc0daaa787c14b3349451f6824adb867fe69726d31be
Red Hat Software Collections 1 for RHEL 7

    MD5: df4eb14dd4e947d1ce1f73177bca6436SHA-256: a8b39394b68ff0a3942cd04a6b70d3421cc8b4768a0c8d5f3cad40a2a71a5ade
    MD5: 8699eb2d8d1719d0e38dc1f7f42f8572SHA-256: 4501a7865c8be1fca021211a6b48728f6b4381718945ae1109a393ffa2b3d5b4
    MD5: 657953a1defeb299b749a7d99f4cca25SHA-256: 9e4f45e4e07ad1642a992b1849def900723343e18d0276822466f420716732f0
(The unlinked packages above are only available from the Red Hat Network)

1365008 – CVE-2016-6316 rubygem-actionview: cross-site scripting flaw in Action View

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

Leave a Reply