1. 3
    Multiple Ruby on Rails vulnerabilities ruby security groups.google.com
    jasper avatar via jasper 7 years ago |
    Archive.org Archive.today Ghostarchive
    | 1 comment
    1. 1
      zg avatar zg 7 years ago | link

      Here’s a summary (shamelessly snagged from HN):

      • [CVE-2015-7581] Object leak vulnerability for wildcard controller routes in Action Pack: Look for routes that contain “:controller” and change it to something else. Hopefully you didn’t have this weird name in your routes.

      • [CVE-2015-7578/79] Possible XSS vulnerability in rails-html-sanitizer: You’re safe if you use a single page application that properly encode for you. Stripping tags isn’t the best way anyway to filter XSS, so if you’re encoding, you’re good.

      • [CVE-2016-0753] Possible Input Validation Circumvention in Active Model: params.permit! is negligence, you should not be doing that anyway

      • [CVE-2016-0752] Possible Information Leak Vulnerability in Action View: render params[:id] is not defensive programming, so you should not be doing that too

      • [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record: Only if using nested_attributes and rejection proc. Wasn’t my case. Just patch.

      • [CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack: DoS is bad, just patch.

      • [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller: Just patch.

Stories with similar links:

  1. SFTPGo: a Golang performance story and some questions via inactive-user 3 years ago | 7 points | no comments
  2. Racket2 possibilities via inactive-user 4 years ago | 20 points | 9 comments
  3. PostScript and Interpress: a comparison (1985) via zge 4 years ago | 4 points | no comments
  4. Origins of the finger command via calvin 5 years ago | 21 points | no comments
  5. The NetHack DevTeam is happy to announce the release of NetHack 3.6.1 via intercal 5 years ago | 21 points | 5 comments
  6. CVE-2017-17482: OpenVMS Security Notice for local privilege escalation via dege 5 years ago | 4 points | no comments
  7. Eve (programming language) is winding down via roryokane 5 years ago | 45 points | 12 comments
  8. Go 1.10 Beta 1 is released via av 5 years ago | 6 points | no comments
  9. Termination of the certificates business of Startcom via calvin 5 years ago | 20 points | 1 comment
  10. A new Common Lisp compiler/interpreter in Prolog via rogersm 5 years ago | 11 points | 2 comments
  11. Faster blame on hg.mozilla.org (2016) via JordiGH 5 years ago | 4 points | no comments
  12. Sequel 5.0.0 Released authored by jeremyevans 6 years ago | 13 points | 1 comment
  13. First Language (1998) via yumaikas 6 years ago | 1 point | no comments
  14. Redis 4.0.0 GA via fs111 6 years ago | 12 points | 1 comment
  15. mblaze 0.1, a Maildir-focused command line mail client via duncaen 6 years ago | 23 points | 1 comment
  16. Concerns about Kubernetes Community newcomers via devth 6 years ago | 2 points | 1 comment
  17. Shen has been ported to C via bsima 6 years ago | 3 points | no comments
  18. Vitaly Slobodin steps down as PhantomJS maintainer because of headless Chrome via koehr 6 years ago | 3 points | 2 comments
  19. Symantec again caught issuing suspicious certificates, this time for example.com via kb 6 years ago | 15 points | 1 comment
  20. Ansible: New RCs for Security Bug CVE-2016-9587 via ChrisShort 6 years ago | 1 point | no comments
  21. Mercurial 4.0 Sprint Notes via ngoldbaum 6 years ago | 14 points | 3 comments
  22. Apple's response to the WoSign incidents via inactive-user 6 years ago | 17 points | 6 comments
  23. Happy 25th birthday Linux via mjturner 7 years ago | 7 points | 1 comment
  24. Incidents involving the CA WoSign via lattera 7 years ago | 16 points | 2 comments
  25. Vim 8.0 pre-announcement via romanzolotarev 7 years ago | 21 points | 7 comments
  26. Buford v0.7.0 Apple Push Notifications for Go 1.6 and HTTP/2 authored by nathany 7 years ago | 2 points | no comments
  27. Go 1.7 Beta 1 released via inactive-user 7 years ago | 12 points | no comments
  28. Linus hacks fsck to recover deleted files (1993) via pushcx 7 years ago | 2 points | no comments
  29. Alpha release of Servo to be released in June via ane 7 years ago | 29 points | 7 comments
  30. Git integrity via effdee 7 years ago | 28 points | 2 comments
  31. Go 1.5.3 is released via luiz 7 years ago | 8 points | no comments
  32. Go 1.6 Beta 1 is released via nathany 7 years ago | 12 points | 2 comments
  33. Phoenix 1.1 Released via bratsche 7 years ago | 19 points | no comments
  34. Go 1.5.2 is released via nathany 7 years ago | 9 points | 5 comments
  35. Standardising racket's threading macros via zem 7 years ago | 6 points | no comments
  36. Password Hashing Competition Winner: Argon2 via jcs 8 years ago | 15 points | no comments
  37. What is a closure? via rubenbarroso 8 years ago | 7 points | no comments
  38. Linux futex_wait bug via SeanTAllen 8 years ago | 12 points | no comments
  39. JMH vs Caliper reference thread (JVM micro-benchmarking) via tobym 8 years ago | 4 points | no comments
  40. [release] Redis 3.0.0 is out. via joshuacc 8 years ago | 10 points | 3 comments
  41. Golang team is discussing a builtin solution for dependency management via kb 8 years ago | 23 points | 16 comments
  42. The RabbitMQ Team is Hiring - Remote Workers Accepted via old_sound 8 years ago | 2 points | no comments
  43. Go 1.4.1 Released via mreedell 8 years ago | 8 points | no comments
  44. comment on adding conditionals to configuration languages via stuntgoat 8 years ago | 1 point | no comments
  45. Choosing hardware to minimize latency via tobym 8 years ago | 3 points | no comments
  46. Rack, Change of Maintainer & Status via pushcx 9 years ago | 1 point | no comments
  47. Play 2.3.0 Is Released via kellogh 9 years ago | 1 point | no comments
  48. goroutines management via pyk 9 years ago | 1 point | no comments
  49. Rails Directory Traversal Vulnerability With Certain Route Configurations (CVE-2014-0130) via jcs 9 years ago | 1 point | no comments
  50. Proposal to remove StartCom from Mozilla CA truststore via hdevalence 9 years ago | 8 points | no comments
  51. A Simple Run Time Comparison Of AWKs Running A Genetic Algorithm via kmatt 9 years ago | 4 points | no comments
  52. Dotty open-sourced, research platform for new language concepts and compiler technologies for Scala via tobym 9 years ago | 9 points | 1 comment
  53. RubySec Summary of CVE-2013-6393 aka "you're probably vulnerable" via jcs 9 years ago | 3 points | no comments
  54. GHC (the standard Haskell compiler) gets first class iOS support via rbxbx 10 years ago | 5 points | no comments
  55. Play Framework - async by default via tobym 10 years ago | 2 points | no comments
  56. Multiple vulnerabilities in parameter parsing in Action Pack (Rails) (CVE-2013-0156) via jcs 10 years ago | 5 points | 1 comment
  57. golang-weekly issue #4 via nilmethod 11 years ago | 3 points | no comments
  58. Android 4.1 source code released via lynge 11 years ago | 4 points | 2 comments