1. 3
  1.  

  2. 1

    Here’s a summary (shamelessly snagged from HN):

    • [CVE-2015-7581] Object leak vulnerability for wildcard controller routes in Action Pack: Look for routes that contain “:controller” and change it to something else. Hopefully you didn’t have this weird name in your routes.

    • [CVE-2015-7578/79] Possible XSS vulnerability in rails-html-sanitizer: You’re safe if you use a single page application that properly encode for you. Stripping tags isn’t the best way anyway to filter XSS, so if you’re encoding, you’re good.

    • [CVE-2016-0753] Possible Input Validation Circumvention in Active Model: params.permit! is negligence, you should not be doing that anyway

    • [CVE-2016-0752] Possible Information Leak Vulnerability in Action View: render params[:id] is not defensive programming, so you should not be doing that too

    • [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record: Only if using nested_attributes and rejection proc. Wasn’t my case. Just patch.

    • [CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack: DoS is bad, just patch.

    • [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller: Just patch.

    Stories with similar links:

    1. SFTPGo: a Golang performance story and some questions via rbn 4 months ago | 7 points | no comments
    2. Racket2 possibilities via A-Za-z0-9 11 months ago | 20 points | 9 comments
    3. PostScript and Interpress: a comparison (1985) via zge 1 year ago | 4 points | no comments
    4. Origins of the finger command via calvin 2 years ago | 21 points | no comments
    5. The NetHack DevTeam is happy to announce the release of NetHack 3.6.1 via intercal 2 years ago | 21 points | 5 comments
    6. CVE-2017-17482: OpenVMS Security Notice for local privilege escalation via dege 2 years ago | 4 points | no comments
    7. Eve (programming language) is winding down via roryokane 2 years ago | 45 points | 12 comments
    8. Go 1.10 Beta 1 is released via av 2 years ago | 6 points | no comments
    9. Termination of the certificates business of Startcom via calvin 2 years ago | 20 points | 1 comment
    10. A new Common Lisp compiler/interpreter in Prolog via rogersm 2 years ago | 11 points | 2 comments
    11. Faster blame on hg.mozilla.org (2016) via JordiGH 2 years ago | 4 points | no comments
    12. Sequel 5.0.0 Released authored by jeremyevans 2 years ago | 13 points | 1 comment
    13. First Language (1998) via yumaikas 2 years ago | 1 point | no comments
    14. Redis 4.0.0 GA via fs111 2 years ago | 12 points | 1 comment
    15. mblaze 0.1, a Maildir-focused command line mail client via duncaen 3 years ago | 23 points | 1 comment
    16. Concerns about Kubernetes Community newcomers via devth 3 years ago | 2 points | 1 comment
    17. Shen has been ported to C via bsima 3 years ago | 3 points | no comments
    18. Vitaly Slobodin steps down as PhantomJS maintainer because of headless Chrome via koehr 3 years ago | 3 points | 2 comments
    19. Symantec again caught issuing suspicious certificates, this time for example.com via kb 3 years ago | 15 points | 1 comment
    20. Ansible: New RCs for Security Bug CVE-2016-9587 via ChrisShort 3 years ago | 1 point | no comments
    21. Mercurial 4.0 Sprint Notes via ngoldbaum 3 years ago | 14 points | 3 comments
    22. Apple's response to the WoSign incidents via inactive-user 3 years ago | 17 points | 6 comments
    23. Happy 25th birthday Linux via mjturner 3 years ago | 7 points | 1 comment
    24. Incidents involving the CA WoSign via lattera 3 years ago | 16 points | 2 comments
    25. Vim 8.0 pre-announcement via romanzolotarev 3 years ago | 21 points | 7 comments
    26. Buford v0.7.0 Apple Push Notifications for Go 1.6 and HTTP/2 authored by nathany 4 years ago | 2 points | no comments
    27. Go 1.7 Beta 1 released via tudurom 4 years ago | 12 points | no comments
    28. Linus hacks fsck to recover deleted files (1993) via pushcx 4 years ago | 2 points | no comments
    29. Alpha release of Servo to be released in June via ane 4 years ago | 29 points | 7 comments
    30. Git integrity via effdee 4 years ago | 28 points | 2 comments
    31. Go 1.5.3 is released via luiz 4 years ago | 8 points | no comments
    32. Go 1.6 Beta 1 is released via nathany 4 years ago | 12 points | 2 comments
    33. Phoenix 1.1 Released via bratsche 4 years ago | 19 points | no comments
    34. Go 1.5.2 is released via nathany 4 years ago | 9 points | 5 comments
    35. Standardising racket's threading macros via zem 4 years ago | 6 points | no comments
    36. Password Hashing Competition Winner: Argon2 via jcs 4 years ago | 15 points | no comments
    37. What is a closure? via rubenbarroso 5 years ago | 7 points | no comments
    38. Linux futex_wait bug via SeanTAllen 5 years ago | 12 points | no comments
    39. JMH vs Caliper reference thread (JVM micro-benchmarking) via tobym 5 years ago | 4 points | no comments
    40. [release] Redis 3.0.0 is out. via joshuacc 5 years ago | 10 points | 3 comments
    41. Golang team is discussing a builtin solution for dependency management via kb 5 years ago | 23 points | 16 comments
    42. The RabbitMQ Team is Hiring - Remote Workers Accepted via old_sound 5 years ago | 2 points | no comments
    43. Go 1.4.1 Released via mreedell 5 years ago | 8 points | no comments
    44. comment on adding conditionals to configuration languages via stuntgoat 5 years ago | 1 point | no comments
    45. Choosing hardware to minimize latency via tobym 5 years ago | 3 points | no comments
    46. Rack, Change of Maintainer & Status via pushcx 5 years ago | 1 point | no comments
    47. Play 2.3.0 Is Released via kellogh 6 years ago | 1 point | no comments
    48. goroutines management via pyk 6 years ago | 1 point | no comments
    49. Rails Directory Traversal Vulnerability With Certain Route Configurations (CVE-2014-0130) via jcs 6 years ago | 1 point | no comments
    50. Proposal to remove StartCom from Mozilla CA truststore via hdevalence 6 years ago | 8 points | no comments
    51. A Simple Run Time Comparison Of AWKs Running A Genetic Algorithm via kmatt 6 years ago | 4 points | no comments
    52. Dotty open-sourced, research platform for new language concepts and compiler technologies for Scala via tobym 6 years ago | 9 points | 1 comment
    53. RubySec Summary of CVE-2013-6393 aka "you're probably vulnerable" via jcs 6 years ago | 3 points | no comments
    54. GHC (the standard Haskell compiler) gets first class iOS support via rbxbx 6 years ago | 5 points | no comments
    55. Play Framework - async by default via tobym 7 years ago | 2 points | no comments
    56. Multiple vulnerabilities in parameter parsing in Action Pack (Rails) (CVE-2013-0156) via jcs 7 years ago | 5 points | 1 comment
    57. golang-weekly issue #4 via nilmethod 7 years ago | 3 points | no comments
    58. Android 4.1 source code released via lynge 8 years ago | 4 points | 2 comments