Two rails security alerts today
1 view
Skip to first unread message
Ryan Briones
Sep 3, 2009, 9:18:39 PM9/3/09
to colum...@googlegroups.com
Timing Weakness in ActiveSupport::MessageVerifier and the Cookie Store
--
Ryan Carmelo Briones
There is a weakness in the code Ruby on Rails uses to verify message digests in the cookie store. By using a non-constant time algorithm to verify the signatures an attacker may be able to determine when a forged signature is partially correct.
Versions Affected: 2.1.0 and *all* subsequent versions.
Fixed Versions: 2.3.4, 2.2.3
Fixed Versions: 2.3.4, 2.2.3
==========
XSS Vulnerability in Ruby on Rails
There is a vulnerability in the escaping code for the form helpers in Ruby on Rails. Attackers who can inject deliberately malformed unicode strings into the form helpers can defeat the escaping checks and inject arbitrary HTML.
Versions Affected: 2.0.0 and *all* subsequent versions.
Not affected: Applications running on ruby 1.9
Fixed Versions: 2.3.4, 2.2.3
Candidate CVE: CVE-2009-3009
Not affected: Applications running on ruby 1.9
Fixed Versions: 2.3.4, 2.2.3
Candidate CVE: CVE-2009-3009
--
Ryan Carmelo Briones
Reply all
Reply to author
Forward
0 new messages