1. 3

  2. 1

    Here’s a summary (shamelessly snagged from HN):

    • [CVE-2015-7581] Object leak vulnerability for wildcard controller routes in Action Pack: Look for routes that contain “:controller” and change it to something else. Hopefully you didn’t have this weird name in your routes.

    • [CVE-2015-7578/79] Possible XSS vulnerability in rails-html-sanitizer: You’re safe if you use a single page application that properly encode for you. Stripping tags isn’t the best way anyway to filter XSS, so if you’re encoding, you’re good.

    • [CVE-2016-0753] Possible Input Validation Circumvention in Active Model: params.permit! is negligence, you should not be doing that anyway

    • [CVE-2016-0752] Possible Information Leak Vulnerability in Action View: render params[:id] is not defensive programming, so you should not be doing that too

    • [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record: Only if using nested_attributes and rejection proc. Wasn’t my case. Just patch.

    • [CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack: DoS is bad, just patch.

    • [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller: Just patch.