Several vulnerabilities have been discovered in Rails, the Ruby web
application framework. The Common Vulnerabilities and Exposures project
identifies the following problems:
- CVE-2009-4214
A cross-site scripting (XSS) vulnerability had been found in the
strip_tags function. An attacker may inject non-printable characters
that certain browsers will then evaluate. This vulnerability only
affects the oldstable distribution (lenny).
- CVE-2011-2930
A SQL injection vulnerability had been found in the quote_table_name
method that could allow malicious users to inject arbitrary SQL into a
query.
- CVE-2011-2931
A cross-site scripting (XSS) vulnerability had been found in the
strip_tags helper. An parsing error can be exploited by an attacker,
who can confuse the parser and may inject HTML tags into the output
document.
- CVE-2011-3186
A newline (CRLF) injection vulnerability had been found in
response.rb. This vulnerability allows an attacker to inject arbitrary
HTTP headers and conduct HTTP response splitting attacks via the
Content-Type header.
For the oldstable distribution (lenny), this problem has been fixed in
version 2.1.0-7+lenny2.
For the stable distribution (squeeze), this problem has been fixed in
version 2.3.5-1.2+squeeze2.
For the unstable distribution (sid), this problem has been fixed in
version 2.3.14.
We recommend that you upgrade your rails packages.