|
|
Subscribe / Log in / New account

rails: multiple vulnerabilities

Package(s):rails CVE #(s):CVE-2007-6077 CVE-2008-7248 CVE-2009-2422
Created:December 21, 2009 Updated:March 15, 2010
Description:

From the Gentoo advisory:

sameer reported that lib/action_controller/cgi_process.rb removes the :cookie_only attribute from the default session options (CVE-2007-6077), due to an incomplete fix for CVE-2007-5380 (GLSA 200711-17).

Steve from Coderrr reported that the CRSF protection in protect_from_forgery() does not parse the text/plain MIME format (CVE-2008-7248).

Nate reported a documentation error that leads to the assumption that a block returning nil passed to authenticate_or_request_with_http_digest() would deny access to the requested resource (CVE-2009-2422).

Alerts:
SuSE SUSE-SR:2010:006 2010-03-15
Gentoo 200912-02 rails 2009-12-20
SuSE SUSE-SR:2010:005 fetchmail, krb5, rubygem-actionpack-2_1, libexpat0, unbound, apache2-mod_php5/php5 2010-02-23
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds