rails: CVE-2016-6316: Possible XSS Vulnerability in Action View

Debian Bug report logs - #834155
rails: CVE-2016-6316: Possible XSS Vulnerability in Action View

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: rails: CVE-2016-6316: Possible XSS Vulnerability in Action View

Date: Fri, 12 Aug 2016 17:18:55 +0200

Source: rails
Version: 2:4.1.8-1
Severity: important
Tags: security upstream patch

Hi,

the following vulnerability was published for rails.

CVE-2016-6316[0]:
Possible XSS Vulnerability in Action View

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-6316
[1] http://seclists.org/oss-sec/2016/q3/260
[2] https://groups.google.com/forum/#!msg/rubyonrails-security/I-VWr034ouk/gGu2FrCwDAAJ

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 834155@bugs.debian.org (full text, mbox, reply):

From: Antonio Terceiro <terceiro@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 834155@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#834155: rails: CVE-2016-6316: Possible XSS Vulnerability in Action View

Date: Mon, 22 Aug 2016 14:09:32 -0300

[Message part 1 (text/plain, inline)]

Hi,

On Fri, Aug 12, 2016 at 05:18:55PM +0200, Salvatore Bonaccorso wrote:
> Source: rails
> Version: 2:4.1.8-1
> Severity: important
> Tags: security upstream patch
> 
> Hi,
> 
> the following vulnerability was published for rails.
> 
> CVE-2016-6316[0]:
> Possible XSS Vulnerability in Action View
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2016-6316
> [1] http://seclists.org/oss-sec/2016/q3/260
> [2] https://groups.google.com/forum/#!msg/rubyonrails-security/I-VWr034ouk/gGu2FrCwDAAJ
> 
> Please adjust the affected versions in the BTS as needed.

AFAICT you got the versions right already. This issue affects stable,
while the other does not.

For stable, I have prepared a security update, have successfully tested
it on a sample application based on the upstream advisory description.
Attached you will find both the debdiff (rails.diff) and the actual
backported patch (CVE-2016-6316.patch); the later is easier to read than
the diff-in-diff part of the former.

For unstable, both issues will be fixed by 2:4.2.7.1-1 (being uploaded
RSN)

[rails.diff (text/x-diff, attachment)]

[CVE-2016-6316.patch (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 834155@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Antonio Terceiro <terceiro@debian.org>

Cc: 834155@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#834155: rails: CVE-2016-6316: Possible XSS Vulnerability in Action View

Date: Mon, 22 Aug 2016 19:31:50 +0200

On Mon, Aug 22, 2016 at 02:09:32PM -0300, Antonio Terceiro wrote:
> Hi,
> 
> On Fri, Aug 12, 2016 at 05:18:55PM +0200, Salvatore Bonaccorso wrote:
> > Source: rails
> > Version: 2:4.1.8-1
> > Severity: important
> > Tags: security upstream patch
> > 
> > Hi,
> > 
> > the following vulnerability was published for rails.
> > 
> > CVE-2016-6316[0]:
> > Possible XSS Vulnerability in Action View
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > 
> > For further information see:
> > 
> > [0] https://security-tracker.debian.org/tracker/CVE-2016-6316
> > [1] http://seclists.org/oss-sec/2016/q3/260
> > [2] https://groups.google.com/forum/#!msg/rubyonrails-security/I-VWr034ouk/gGu2FrCwDAAJ
> > 
> > Please adjust the affected versions in the BTS as needed.
> 
> AFAICT you got the versions right already. This issue affects stable,
> while the other does not.
> 
> For stable, I have prepared a security update, have successfully tested
> it on a sample application based on the upstream advisory description.
> Attached you will find both the debdiff (rails.diff) and the actual
> backported patch (CVE-2016-6316.patch); the later is easier to read than
> the diff-in-diff part of the former.

Thanks, please upload to security-master

Cheers,
        Moritz

Message #20 received at 834155-close@bugs.debian.org (full text, mbox, reply):

From: Antonio Terceiro <terceiro@debian.org>

To: 834155-close@bugs.debian.org

Subject: Bug#834155: fixed in rails 2:4.2.7.1-1

Date: Mon, 22 Aug 2016 18:04:33 +0000

Source: rails
Source-Version: 2:4.2.7.1-1

We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 834155@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antonio Terceiro <terceiro@debian.org> (supplier of updated rails package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 22 Aug 2016 14:33:48 -0300
Source: rails
Binary: ruby-activesupport ruby-activerecord ruby-activemodel ruby-activejob ruby-actionview ruby-actionpack ruby-actionmailer ruby-railties ruby-rails rails
Architecture: source
Version: 2:4.2.7.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Antonio Terceiro <terceiro@debian.org>
Description:
 rails      - MVC ruby based framework geared for web application development (
 ruby-actionmailer - email composition, delivery, and receiving framework (part of Rai
 ruby-actionpack - web-flow and rendering framework putting the VC in MVC (part of R
 ruby-actionview - framework for handling view template lookup and rendering (part o
 ruby-activejob - job framework with pluggable queues
 ruby-activemodel - toolkit for building modeling frameworks (part of Rails)
 ruby-activerecord - object-relational mapper framework (part of Rails)
 ruby-activesupport - Support and utility classes used by the Rails 4.1 framework
 ruby-rails - MVC ruby based framework geared for web application development
 ruby-railties - tools for creating, working with, and running Rails applications
Closes: 834154 834155
Changes:
 rails (2:4.2.7.1-1) unstable; urgency=medium
 .
   * New upstream release; includes fixes for the following issues:
     - CVE-2016-6317: unsafe query generation in Active Record (Closes: #834154)
     - CVE-2016-6316: Possible XSS Vulnerability in Action View (Closes: #834155)
   * debian/watch: restrict to the 4.x series for now
Checksums-Sha1:
 c3fd66b8e85c3aa9f36474fbcb183ce926638e7e 3459 rails_4.2.7.1-1.dsc
 d8389a376f2b03547b1ce8f8df26f69f85e65d42 4181681 rails_4.2.7.1.orig.tar.gz
 0d71c6cf7ad9aad4b7178d61f86a6d74ee395abf 91812 rails_4.2.7.1-1.debian.tar.xz
Checksums-Sha256:
 1c48dfb0d1f1381af0837743a406fcde4df5e514d0de980bcbb631337b84e86e 3459 rails_4.2.7.1-1.dsc
 bfa7854f1b35e449b78db2af83fe660f17b101a487728fcfc6fb623967fb4783 4181681 rails_4.2.7.1.orig.tar.gz
 b77f47304b2cce12e6bea028aed45b07a4dcc91abbdb09d4ffa25b8bd9ef372b 91812 rails_4.2.7.1-1.debian.tar.xz
Files:
 8a61dbe7a7f377ddf0878748df21bf5a 3459 ruby optional rails_4.2.7.1-1.dsc
 d6755586a995283c91f15d857ef74387 4181681 ruby optional rails_4.2.7.1.orig.tar.gz
 e3ba9158d7216018f2bebe80b362de6a 91812 ruby optional rails_4.2.7.1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJXuzyMAAoJEPwNsbvNRgveqJcP/3O6aOj5QN4bLqDdyPOjT5+l
KIJhT9L2tFBa0n7XafW8BSjfBdu0fb2Pgo7GabgetTCSy4fhIIpSOM4slSooTafL
xP6hQcA4WRQ8ni++N+34/85IHaPRaN8hHlXrsHzH0sZRWswdXQY3LBGZXsx4NGRJ
ziLTHyYfyILHKl+uNxiT6C6y/rXqcWh+6N17Z036SlUp9dDMGf/egfYtNOkJux1I
y8RfrprYTKOJLWk5Z0RKyb5fD1e+SJs3GtYAADWKGXsYjHTF/n7EqUMmPqLzPaCH
CHvO9XWM32r1oe3PyGouLK0dTnW2hTim54SqW/NqaAwmhvUWd5IPH0z56gs4XIPE
0yKGnXTNeV6b+UPNYow1+fiZstn+rLw3cu39k/NrZg5eqhCH/nq04njEm8/OZYCR
Chcohr9DmIf5jfK9282BeU7x+do+EF9xFnuoqQQ39rUBE92ga38XahfokyKuyLu0
M1K8vCP0XhH4bsSKBZc+/9hA9E2/5CI79Vmw4LxjlmeAKxhCKys396wtiiuORtf4
ybDLohNMvLyioLtDHcjU2ph9ESYdgysGc1Jlh9VHgmNf+oXTHwT/eI1UM7e0NeO0
rmnyjC+cGoG74lker3ZtUqc/hYZ3AddlirP3h8M4mbqfiNhb1N/pStH7sGthgFrg
CMHQzgwiEXRJUvF22oxE
=y1sI
-----END PGP SIGNATURE-----

Message #25 received at 834155-close@bugs.debian.org (full text, mbox, reply):

From: Antonio Terceiro <terceiro@debian.org>

To: 834155-close@bugs.debian.org

Subject: Bug#834155: fixed in rails 2:4.1.8-1+deb8u3

Date: Sun, 28 Aug 2016 12:48:05 +0000

Source: rails
Source-Version: 2:4.1.8-1+deb8u3

We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 834155@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antonio Terceiro <terceiro@debian.org> (supplier of updated rails package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 22 Aug 2016 13:35:11 -0300
Source: rails
Binary: ruby-activesupport ruby-activesupport-2.3 ruby-activerecord ruby-activemodel ruby-actionview ruby-actionpack ruby-actionmailer ruby-railties ruby-rails rails
Architecture: source all
Version: 2:4.1.8-1+deb8u3
Distribution: jessie-security
Urgency: high
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Antonio Terceiro <terceiro@debian.org>
Description:
 rails      - MVC ruby based framework geared for web application development (
 ruby-actionmailer - email composition, delivery, and receiving framework (part of Rai
 ruby-actionpack - web-flow and rendering framework putting the VC in MVC (part of R
 ruby-actionview - framework for handling view template lookup and rendering (part o
 ruby-activemodel - toolkit for building modeling frameworks (part of Rails)
 ruby-activerecord - object-relational mapper framework (part of Rails)
 ruby-activesupport - Support and utility classes used by the Rails 4.1 framework
 ruby-activesupport-2.3 - transitional dummy package
 ruby-rails - MVC ruby based framework geared for web application development
 ruby-railties - tools for creating, working with, and running Rails applications
Closes: 834155
Changes:
 rails (2:4.1.8-1+deb8u3) jessie-security; urgency=high
 .
   * Security update
   * CVE-2016-6316: Possible XSS Vulnerability in Action View
     (Closes: Bug#834155)
Checksums-Sha1:
 031ea91e605be5e7c55048a2a52b8a999bf52e0d 2553 rails_4.1.8-1+deb8u3.dsc
 18bd61f9424d47520690d7e9162b2f998180b19a 99084 rails_4.1.8-1+deb8u3.debian.tar.xz
 9a6016890b7140bc90da9e4123c90930b419a565 205904 ruby-activesupport_4.1.8-1+deb8u3_all.deb
 b55aa22c4291405618af3da779e736344f5852d9 11346 ruby-activesupport-2.3_4.1.8-1+deb8u3_all.deb
 ae093d177bc8f304a3d543f6feaa958124aec64f 268384 ruby-activerecord_4.1.8-1+deb8u3_all.deb
 ff52069661b3a36f97227af2e8eed35314485f21 48590 ruby-activemodel_4.1.8-1+deb8u3_all.deb
 9c720c97d21c61ae59fa19fcf03ee290d77acacd 141270 ruby-actionview_4.1.8-1+deb8u3_all.deb
 e50483a01eb9b207a7fc18d37eee5da6aa488276 169738 ruby-actionpack_4.1.8-1+deb8u3_all.deb
 be8061ed2573a46287a828791fabe51601fc6ac8 31578 ruby-actionmailer_4.1.8-1+deb8u3_all.deb
 421d19e92e459eaa27947bc8981d546c3c580773 119080 ruby-railties_4.1.8-1+deb8u3_all.deb
 565433da4f481bf04335ef533b73929f2ead0b28 16400 ruby-rails_4.1.8-1+deb8u3_all.deb
 1cc6a3f82b9080e2ebd781b686c86b37f2aaab8c 11618 rails_4.1.8-1+deb8u3_all.deb
Checksums-Sha256:
 ab3d75ff2ace8f5f166c24a6b308d0726e3f83b1c4bffbb832ffb4e964ce8179 2553 rails_4.1.8-1+deb8u3.dsc
 bb11d372facaf92b7b728161e532b0483348a7cf5960d3026b30a13b4f80125a 99084 rails_4.1.8-1+deb8u3.debian.tar.xz
 e9f08d822da0208c9bcdbdc31a6b3165eb0a79ae7c1b2ae587eb102df7a179d3 205904 ruby-activesupport_4.1.8-1+deb8u3_all.deb
 bd935f60af367ef00ff1716748938dfded76ec40ab2904af1bfc41b047cb4d0d 11346 ruby-activesupport-2.3_4.1.8-1+deb8u3_all.deb
 a61629166a74965630defdfdfe6d59dae3a29642d436448b59af77d86dcdb4d1 268384 ruby-activerecord_4.1.8-1+deb8u3_all.deb
 37459c0cbab983e5e086435747cded06f8a94b839ad6baaffa5404228201105a 48590 ruby-activemodel_4.1.8-1+deb8u3_all.deb
 746da14e0d4f215fc96179af6a2ec683ad8aba1450f54a961769e76c0fbb1f10 141270 ruby-actionview_4.1.8-1+deb8u3_all.deb
 44b2a98c7702939c90375099683bfb876c2ac3815c90ec7992a2b8510c19f06f 169738 ruby-actionpack_4.1.8-1+deb8u3_all.deb
 33041895f9432bf9558078a204ec19ec8d65caf15b826f2ca795e1f53888f542 31578 ruby-actionmailer_4.1.8-1+deb8u3_all.deb
 8751caa06da3ab60ccfc64df8be407553189354362e03034ac7030ca6357d5bb 119080 ruby-railties_4.1.8-1+deb8u3_all.deb
 bae3c08b11b39dffaf3ac38674e14c75768040ba76a9f500b01940fbec8477fd 16400 ruby-rails_4.1.8-1+deb8u3_all.deb
 a3fca85f113e196d4e8bccc9fbd626222d9cb6ae3060e6a8f5d21e6116dd7a30 11618 rails_4.1.8-1+deb8u3_all.deb
Files:
 4574d1c0b956726f7be3d2a422b81290 2553 ruby optional rails_4.1.8-1+deb8u3.dsc
 bae0a9f35f41d4fcbaba72f66ae3f6e4 99084 ruby optional rails_4.1.8-1+deb8u3.debian.tar.xz
 d75db6749b18548c442ebeb60503b0e7 205904 ruby optional ruby-activesupport_4.1.8-1+deb8u3_all.deb
 b7be20f245105ba6e1d2b687a6053bd5 11346 ruby optional ruby-activesupport-2.3_4.1.8-1+deb8u3_all.deb
 55bd6cf0b98fd1dca30fc44784305756 268384 ruby optional ruby-activerecord_4.1.8-1+deb8u3_all.deb
 9a827da6492dcbc95772047320f821f5 48590 ruby optional ruby-activemodel_4.1.8-1+deb8u3_all.deb
 1d3ae5239a8d95bd31a9551d31b0d2c2 141270 ruby optional ruby-actionview_4.1.8-1+deb8u3_all.deb
 cc4ace83439848f723e5d641d2cc3f89 169738 ruby optional ruby-actionpack_4.1.8-1+deb8u3_all.deb
 97e81b03087d70807755998e058e2de9 31578 ruby optional ruby-actionmailer_4.1.8-1+deb8u3_all.deb
 1f34c6e9c6d4b6e20823aa86d8d084d4 119080 ruby optional ruby-railties_4.1.8-1+deb8u3_all.deb
 a626c6913ef9ce1c58454acb023c8dd8 16400 ruby optional ruby-rails_4.1.8-1+deb8u3_all.deb
 fb13d31ea8086be42f4cf065b662ae6f 11618 ruby optional rails_4.1.8-1+deb8u3_all.deb

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJXu0CqAAoJEPwNsbvNRgver6IQAO10RcDNeqMcbVIjOutQgiOD
HlzossBNGEFS+hF96pHS/x0GyoahkQWdCq8dFQ//Prj0WhECKwd+ap8zqdO+knVL
p1FQqt6hGZoejjjcKueCw6+Tb8BBHFCyS4FpI9QrCI5njj1NPm7jgqRndXP+sHhR
Y+DrD9LRo5nPbSy+S59BkjxeWis2pq4cOszqM1AuPyrkUIh0tudM9voniCtTiIXa
P61X604USoREZP8/M7WyjIr0ULeiLJvumWViST3Wb7VaP6E7uqkDXnVV6rxNUzud
bybmQ9zWsrVq2UODZ6wVzM1RyVxd2rQbm/lOTkbduMcc67Jcx81n4qqaYJ7an54A
IHDvi0sNFT54w5dNtM3A+8zC2xM3Rbi84hUf6lus1uVNt1Si4Wu1aImIIE6sR7cX
RCKUJEgLjLVzPFw1aa3u0SOlbFZR3Hhch4rSmc/aZRvZpbqzULc2/bqeAUVkd2y1
3hanZVxPQPwIbA6O8XNKJavYWtW6BCr/k0OGVKGlFk5TQ1KNISUD/MsgL0Rlp+rO
ta3GC7Q1zMAVSmak21nYo1zjH/H3E7bf67MrNu5CR934MoEnMYrkCF7vhptsByaL
3Bz7olQKrA08gGNvrRpDZQWKNUr8Tj/xaqdvjyYJ6lWZU9zj5mx0aRsERcgYzbpv
Rqg5gEaVU0p0yMY2DqAi
=erL8
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.