- Issued:
- 2016-09-13
- Updated:
- 2016-09-13
RHSA-2016:1855 - Security Advisory
Synopsis
Moderate: rh-ror42 security update
Type/Severity
Security Advisory: Moderate
Topic
An update for rh-ror42-rubygem-actionview, rh-ror42-rubygem-activerecord, and rh-ror42-rubygem-actionpack is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Ruby on Rails is a model-view-controller (MVC) framework for web application development. Action View implements the view component, and Active Record implements the model component.
Security Fix(es) in rubygem-actionview:
- It was discovered that Action View tag helpers did not escape quotes when using strings declared as HTML safe as attribute values. A remote attacker could use this flaw to conduct a cross-site scripting (XSS) attack. (CVE-2016-6316)
Security Fix(es) in rubygem-activerecord:
- A flaw was found in the way Active Record handled certain special values in dynamic finders and relations. If a Ruby on Rails application performed JSON parameter parsing, a remote attacker could possibly manipulate search conditions in SQL queries generated by the application. (CVE-2016-6317)
Red Hat would like to thank the Ruby on Rails project for reporting these issues. Upstream acknowledges Andrew Carpenter (Critical Juncture) as the original reporter of CVE-2016-6316; and joernchen (Phenoelit) as the original reporter of CVE-2016-6317.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
Affected Products
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.5 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.4 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.3 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.2 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.1 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
- Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64
Fixes
- BZ - 1365008 - CVE-2016-6316 rubygem-actionview: cross-site scripting flaw in Action View
- BZ - 1365017 - CVE-2016-6317 rubygem-activerecord: unsafe query generation in Active Record
CVEs
References
Note:
More recent versions of these packages may be available.
Click a package name for more details.
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.5
| SRPM | |
|---|---|
| rh-ror42-rubygem-actionpack-4.2.6-3.el7.src.rpm | SHA-256: 7384ebd9015a9b216da8a0561d51036ffa3f92faef150d36f62c7b4d6b0a828c |
| rh-ror42-rubygem-actionview-4.2.6-3.el7.src.rpm | SHA-256: bf70b0a4078e18700ed62a416ff8040a258cf67231f0bcc91c77ac8bb14c1cab |
| rh-ror42-rubygem-activerecord-4.2.6-3.el7.src.rpm | SHA-256: 9122e67bf0d71cc1659257c6c2a3bf97cabb9d458008c7e4a7efa7c33256d170 |
| x86_64 | |
| rh-ror42-rubygem-actionpack-4.2.6-3.el7.noarch.rpm | SHA-256: ab11f8945c8556866fbcb4bf936ae854f46c3dad1f5bc60649ee199028f44963 |
| rh-ror42-rubygem-actionpack-doc-4.2.6-3.el7.noarch.rpm | SHA-256: a1f87280999fe1c45d1fa7058177aa2a9425f7e58b16fb00d25c0d63ea17bb8b |
| rh-ror42-rubygem-actionview-4.2.6-3.el7.noarch.rpm | SHA-256: 18061af4622d95919b161e92db30ef2f01a043792d75ee313b8018fd6d47f985 |
| rh-ror42-rubygem-actionview-doc-4.2.6-3.el7.noarch.rpm | SHA-256: 5ef9c152a0494073fd063c8bf5cb0dbc3b075c0544ea55530ec311ab4af3ba02 |
| rh-ror42-rubygem-activerecord-4.2.6-3.el7.noarch.rpm | SHA-256: 47c5a4ebd88de277f914bcbcc54dea910d81026da6cffab3d48051eb2a0cce46 |
| rh-ror42-rubygem-activerecord-doc-4.2.6-3.el7.noarch.rpm | SHA-256: 22a3d12952ac5f957cf2fc1890f51f531e1063e701640d19b9c9e5c8e942207c |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.4
| SRPM | |
|---|---|
| rh-ror42-rubygem-actionpack-4.2.6-3.el7.src.rpm | SHA-256: 7384ebd9015a9b216da8a0561d51036ffa3f92faef150d36f62c7b4d6b0a828c |
| rh-ror42-rubygem-actionview-4.2.6-3.el7.src.rpm | SHA-256: bf70b0a4078e18700ed62a416ff8040a258cf67231f0bcc91c77ac8bb14c1cab |
| rh-ror42-rubygem-activerecord-4.2.6-3.el7.src.rpm | SHA-256: 9122e67bf0d71cc1659257c6c2a3bf97cabb9d458008c7e4a7efa7c33256d170 |
| x86_64 | |
| rh-ror42-rubygem-actionpack-4.2.6-3.el7.noarch.rpm | SHA-256: ab11f8945c8556866fbcb4bf936ae854f46c3dad1f5bc60649ee199028f44963 |
| rh-ror42-rubygem-actionpack-doc-4.2.6-3.el7.noarch.rpm | SHA-256: a1f87280999fe1c45d1fa7058177aa2a9425f7e58b16fb00d25c0d63ea17bb8b |
| rh-ror42-rubygem-actionview-4.2.6-3.el7.noarch.rpm | SHA-256: 18061af4622d95919b161e92db30ef2f01a043792d75ee313b8018fd6d47f985 |
| rh-ror42-rubygem-actionview-doc-4.2.6-3.el7.noarch.rpm | SHA-256: 5ef9c152a0494073fd063c8bf5cb0dbc3b075c0544ea55530ec311ab4af3ba02 |
| rh-ror42-rubygem-activerecord-4.2.6-3.el7.noarch.rpm | SHA-256: 47c5a4ebd88de277f914bcbcc54dea910d81026da6cffab3d48051eb2a0cce46 |
| rh-ror42-rubygem-activerecord-doc-4.2.6-3.el7.noarch.rpm | SHA-256: 22a3d12952ac5f957cf2fc1890f51f531e1063e701640d19b9c9e5c8e942207c |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.3
| SRPM | |
|---|---|
| rh-ror42-rubygem-actionpack-4.2.6-3.el7.src.rpm | SHA-256: 7384ebd9015a9b216da8a0561d51036ffa3f92faef150d36f62c7b4d6b0a828c |
| rh-ror42-rubygem-actionview-4.2.6-3.el7.src.rpm | SHA-256: bf70b0a4078e18700ed62a416ff8040a258cf67231f0bcc91c77ac8bb14c1cab |
| rh-ror42-rubygem-activerecord-4.2.6-3.el7.src.rpm | SHA-256: 9122e67bf0d71cc1659257c6c2a3bf97cabb9d458008c7e4a7efa7c33256d170 |
| x86_64 | |
| rh-ror42-rubygem-actionpack-4.2.6-3.el7.noarch.rpm | SHA-256: ab11f8945c8556866fbcb4bf936ae854f46c3dad1f5bc60649ee199028f44963 |
| rh-ror42-rubygem-actionpack-doc-4.2.6-3.el7.noarch.rpm | SHA-256: a1f87280999fe1c45d1fa7058177aa2a9425f7e58b16fb00d25c0d63ea17bb8b |
| rh-ror42-rubygem-actionview-4.2.6-3.el7.noarch.rpm | SHA-256: 18061af4622d95919b161e92db30ef2f01a043792d75ee313b8018fd6d47f985 |
| rh-ror42-rubygem-actionview-doc-4.2.6-3.el7.noarch.rpm | SHA-256: 5ef9c152a0494073fd063c8bf5cb0dbc3b075c0544ea55530ec311ab4af3ba02 |
| rh-ror42-rubygem-activerecord-4.2.6-3.el7.noarch.rpm | SHA-256: 47c5a4ebd88de277f914bcbcc54dea910d81026da6cffab3d48051eb2a0cce46 |
| rh-ror42-rubygem-activerecord-doc-4.2.6-3.el7.noarch.rpm | SHA-256: 22a3d12952ac5f957cf2fc1890f51f531e1063e701640d19b9c9e5c8e942207c |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.2
| SRPM | |
|---|---|
| rh-ror42-rubygem-actionpack-4.2.6-3.el7.src.rpm | SHA-256: 7384ebd9015a9b216da8a0561d51036ffa3f92faef150d36f62c7b4d6b0a828c |
| rh-ror42-rubygem-actionview-4.2.6-3.el7.src.rpm | SHA-256: bf70b0a4078e18700ed62a416ff8040a258cf67231f0bcc91c77ac8bb14c1cab |
| rh-ror42-rubygem-activerecord-4.2.6-3.el7.src.rpm | SHA-256: 9122e67bf0d71cc1659257c6c2a3bf97cabb9d458008c7e4a7efa7c33256d170 |
| x86_64 | |
| rh-ror42-rubygem-actionpack-4.2.6-3.el7.noarch.rpm | SHA-256: ab11f8945c8556866fbcb4bf936ae854f46c3dad1f5bc60649ee199028f44963 |
| rh-ror42-rubygem-actionpack-doc-4.2.6-3.el7.noarch.rpm | SHA-256: a1f87280999fe1c45d1fa7058177aa2a9425f7e58b16fb00d25c0d63ea17bb8b |
| rh-ror42-rubygem-actionview-4.2.6-3.el7.noarch.rpm | SHA-256: 18061af4622d95919b161e92db30ef2f01a043792d75ee313b8018fd6d47f985 |
| rh-ror42-rubygem-actionview-doc-4.2.6-3.el7.noarch.rpm | SHA-256: 5ef9c152a0494073fd063c8bf5cb0dbc3b075c0544ea55530ec311ab4af3ba02 |
| rh-ror42-rubygem-activerecord-4.2.6-3.el7.noarch.rpm | SHA-256: 47c5a4ebd88de277f914bcbcc54dea910d81026da6cffab3d48051eb2a0cce46 |
| rh-ror42-rubygem-activerecord-doc-4.2.6-3.el7.noarch.rpm | SHA-256: 22a3d12952ac5f957cf2fc1890f51f531e1063e701640d19b9c9e5c8e942207c |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.1
| SRPM | |
|---|---|
| rh-ror42-rubygem-actionpack-4.2.6-3.el7.src.rpm | SHA-256: 7384ebd9015a9b216da8a0561d51036ffa3f92faef150d36f62c7b4d6b0a828c |
| rh-ror42-rubygem-actionview-4.2.6-3.el7.src.rpm | SHA-256: bf70b0a4078e18700ed62a416ff8040a258cf67231f0bcc91c77ac8bb14c1cab |
| rh-ror42-rubygem-activerecord-4.2.6-3.el7.src.rpm | SHA-256: 9122e67bf0d71cc1659257c6c2a3bf97cabb9d458008c7e4a7efa7c33256d170 |
| x86_64 | |
| rh-ror42-rubygem-actionpack-4.2.6-3.el7.noarch.rpm | SHA-256: ab11f8945c8556866fbcb4bf936ae854f46c3dad1f5bc60649ee199028f44963 |
| rh-ror42-rubygem-actionpack-doc-4.2.6-3.el7.noarch.rpm | SHA-256: a1f87280999fe1c45d1fa7058177aa2a9425f7e58b16fb00d25c0d63ea17bb8b |
| rh-ror42-rubygem-actionview-4.2.6-3.el7.noarch.rpm | SHA-256: 18061af4622d95919b161e92db30ef2f01a043792d75ee313b8018fd6d47f985 |
| rh-ror42-rubygem-actionview-doc-4.2.6-3.el7.noarch.rpm | SHA-256: 5ef9c152a0494073fd063c8bf5cb0dbc3b075c0544ea55530ec311ab4af3ba02 |
| rh-ror42-rubygem-activerecord-4.2.6-3.el7.noarch.rpm | SHA-256: 47c5a4ebd88de277f914bcbcc54dea910d81026da6cffab3d48051eb2a0cce46 |
| rh-ror42-rubygem-activerecord-doc-4.2.6-3.el7.noarch.rpm | SHA-256: 22a3d12952ac5f957cf2fc1890f51f531e1063e701640d19b9c9e5c8e942207c |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7
| SRPM | |
|---|---|
| rh-ror42-rubygem-actionpack-4.2.6-3.el7.src.rpm | SHA-256: 7384ebd9015a9b216da8a0561d51036ffa3f92faef150d36f62c7b4d6b0a828c |
| rh-ror42-rubygem-actionview-4.2.6-3.el7.src.rpm | SHA-256: bf70b0a4078e18700ed62a416ff8040a258cf67231f0bcc91c77ac8bb14c1cab |
| rh-ror42-rubygem-activerecord-4.2.6-3.el7.src.rpm | SHA-256: 9122e67bf0d71cc1659257c6c2a3bf97cabb9d458008c7e4a7efa7c33256d170 |
| x86_64 | |
| rh-ror42-rubygem-actionpack-4.2.6-3.el7.noarch.rpm | SHA-256: ab11f8945c8556866fbcb4bf936ae854f46c3dad1f5bc60649ee199028f44963 |
| rh-ror42-rubygem-actionpack-doc-4.2.6-3.el7.noarch.rpm | SHA-256: a1f87280999fe1c45d1fa7058177aa2a9425f7e58b16fb00d25c0d63ea17bb8b |
| rh-ror42-rubygem-actionview-4.2.6-3.el7.noarch.rpm | SHA-256: 18061af4622d95919b161e92db30ef2f01a043792d75ee313b8018fd6d47f985 |
| rh-ror42-rubygem-actionview-doc-4.2.6-3.el7.noarch.rpm | SHA-256: 5ef9c152a0494073fd063c8bf5cb0dbc3b075c0544ea55530ec311ab4af3ba02 |
| rh-ror42-rubygem-activerecord-4.2.6-3.el7.noarch.rpm | SHA-256: 47c5a4ebd88de277f914bcbcc54dea910d81026da6cffab3d48051eb2a0cce46 |
| rh-ror42-rubygem-activerecord-doc-4.2.6-3.el7.noarch.rpm | SHA-256: 22a3d12952ac5f957cf2fc1890f51f531e1063e701640d19b9c9e5c8e942207c |
Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7
| SRPM | |
|---|---|
| rh-ror42-rubygem-actionpack-4.2.6-3.el7.src.rpm | SHA-256: 7384ebd9015a9b216da8a0561d51036ffa3f92faef150d36f62c7b4d6b0a828c |
| rh-ror42-rubygem-actionview-4.2.6-3.el7.src.rpm | SHA-256: bf70b0a4078e18700ed62a416ff8040a258cf67231f0bcc91c77ac8bb14c1cab |
| rh-ror42-rubygem-activerecord-4.2.6-3.el7.src.rpm | SHA-256: 9122e67bf0d71cc1659257c6c2a3bf97cabb9d458008c7e4a7efa7c33256d170 |
| x86_64 | |
| rh-ror42-rubygem-actionpack-4.2.6-3.el7.noarch.rpm | SHA-256: ab11f8945c8556866fbcb4bf936ae854f46c3dad1f5bc60649ee199028f44963 |
| rh-ror42-rubygem-actionpack-doc-4.2.6-3.el7.noarch.rpm | SHA-256: a1f87280999fe1c45d1fa7058177aa2a9425f7e58b16fb00d25c0d63ea17bb8b |
| rh-ror42-rubygem-actionview-4.2.6-3.el7.noarch.rpm | SHA-256: 18061af4622d95919b161e92db30ef2f01a043792d75ee313b8018fd6d47f985 |
| rh-ror42-rubygem-actionview-doc-4.2.6-3.el7.noarch.rpm | SHA-256: 5ef9c152a0494073fd063c8bf5cb0dbc3b075c0544ea55530ec311ab4af3ba02 |
| rh-ror42-rubygem-activerecord-4.2.6-3.el7.noarch.rpm | SHA-256: 47c5a4ebd88de277f914bcbcc54dea910d81026da6cffab3d48051eb2a0cce46 |
| rh-ror42-rubygem-activerecord-doc-4.2.6-3.el7.noarch.rpm | SHA-256: 22a3d12952ac5f957cf2fc1890f51f531e1063e701640d19b9c9e5c8e942207c |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.