http://groups.google.com/group/rubyonrails-securityRuby on Rails: Security Google Group
Security annoucements for Ruby on Rails.
2008-08-23T15:41:37ZGoogle GroupsMichael Koziarskimich...@koziarski.com2008-08-23T15:41:37Zhttp://groups.google.com/group/rubyonrails-security/browse_thread/thread/9fb60a1e22a88d30/330bcb96de877996?show_docid=330bcb96de877996Re: DoS Vulnerabilities in REXML
The rexml-expansion-fix gem is now available from rubyforge and its <br> mirrors. To install it you need to run: <br> gem install rexml-expansion-fix <br> Once that command has completed add the following line to the bottom <br> of your environment.rb file: <br> require 'rexml-expansion-fix' <br> With that, your application will no longer be vulnerable.
Michael Koziarskimich...@koziarski.com2008-08-23T08:10:19Zhttp://groups.google.com/group/rubyonrails-security/browse_thread/thread/9fb60a1e22a88d30/64d4873c273c8e97?show_docid=64d4873c273c8e97DoS Vulnerabilities in REXML
The ruby-security team have published an advisory[1] about a DoS bug <br> affecting REXML users. Most rails applications will be affected by <br> this vulnerability and you're strongly advised to take the mitigating <br> steps recommended in the advisory. <br> The announcement contains details describing a monkeypatch which can
Michael Koziarskimich...@koziarski.com2007-11-24T22:16:29Zhttp://groups.google.com/group/rubyonrails-security/browse_thread/thread/1bea46abaebb2998/82eb2bccfafe4948?show_docid=82eb2bccfafe4948Ruby on Rails 1.2.6
The rails core team has released ruby on rails 1.2.6 to address a bug <br> in the fix for session fixation attacks(CVE-2007-5380). The CVE <br> Identifier for this new issue is CVE-2007-6077. <br> You should upgrade to this new release if you do not take specific <br> session-fixation counter measures in your application. 1.2.6 also
Michael Koziarskimich...@koziarski.com2007-10-12T22:30:23Zhttp://groups.google.com/group/rubyonrails-security/browse_thread/thread/034c7766ca4d5505/73a2f473a483b866?show_docid=73a2f473a483b866Ruby on Rails 1.2.5
The rails core team has released ruby on rails 1.2.5 to address a <br> potential XSS exploit with our json serialization. The CVE Identifier <br> for this problem is CVE-2007-3227. <br> You are only at risk if you embed the result of a .to_json call in a <br> page you generate. For example: <br> <script type="text/javascript">
Michael Koziarskimich...@koziarski.com2007-10-12T22:25:00Zhttp://groups.google.com/group/rubyonrails-security/browse_thread/thread/239b034f4f808834/e3473b373afff5a0?show_docid=e3473b373afff5a0Re: Ruby on Rails 1.2.4
The issues mentioned in this advisory now have CVE numbers. <br> CVE-2007-5379 <br> CVE-2007-5380 <br> This was a typo, to re-enable URL based sessions you need the <br> following line in your environment.rb file. <br> config.action_controller.sessi on_options[:cookie_only] = false
DHHdavid.heineme...@gmail.com2007-10-12T16:50:53Zhttp://groups.google.com/group/rubyonrails-security/browse_thread/thread/225dcc61aaefad42/4b6c62c789ad64f2?show_docid=4b6c62c789ad64f2Rails 1.2.5: Closes JSON XSS vulnerability
This release closes a JSON XSS vulnerability, fixes a couple of minor <br> regressions introduced in 1.2.4, and backports a handful of features <br> and fixes from the 2.0 preview release. <br> All users of Rails 1.2.4 or earlier are advised to upgrade to 1.2.5, <br> though it isn't strictly necessary if you aren't working with JSON.
Michael Koziarskimich...@koziarski.com2007-10-10T01:33:45Zhttp://groups.google.com/group/rubyonrails-security/browse_thread/thread/239b034f4f808834/439c36b0eee81b47?show_docid=439c36b0eee81b47Ruby on Rails 1.2.4
The release of Ruby on Rails 1.2.4 addresses some potential security <br> issues, all users of earlier versions are advised to upgrade to 1.2.4: <br> The particular issues are: <br> Maliciously crafted requests to a rails application could cause the <br> XML parser to read files from the server's disk or the network. 1.2.4