The rh-ror41 collection provides Ruby on Rails version 4.1. Ruby on Rails
is a model-view-controller (MVC) framework for web application development.
The following issues were corrected in rubygem-actionview:
A directory traversal flaw was found in the way the Action View component
searched for templates for rendering. If an application passed untrusted
input to the βrenderβ method, a remote, unauthenticated attacker could use
this flaw to render unexpected files and, possibly, execute arbitrary code.
(CVE-2016-2097)
A code injection flaw was found in the way the Action View component
searched for templates for rendering. If an application passed untrusted
input to the βrenderβ method, a remote, unauthenticated attacker could use
this flaw to execute arbitrary code. (CVE-2016-2098)
Red Hat would like to thank the Ruby on Rails project for reporting these
issues. Upstream acknowledges Jyoti Singh and Tobias Kraze (makandra) as
original reporters of CVE-2016-2097, and Tobias Kraze (makandra) and
joernchen (Phenoelit) as original reporters of CVE-2016-2098.
All rh-ror41 collection rubygem-actionview packages users are advised to
upgrade to these updated packages, which contain backported patches to
correct these issues. All running applications using the rh-ror41
collection must be restarted for this update to take effect.