You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa rubygem

Sigurnosni nedostaci programskog paketa rubygem

  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LFE

——————————————————————————–
Fedora Update Notification
FEDORA-2020-4dd34860a3
2020-10-05 00:15:05.246453
——————————————————————————–

Name : rubygem-railties
Product : Fedora 33
Version : 6.0.3.3
Release : 1.fc33
URL : http://rubyonrails.org
Summary : Tools for creating, working with, and running Rails applications
Description :
Rails internals: application bootup, plugins, generators, and rake tasks.
Railties is responsible to glue all frameworks together. Overall, it:
* handles all the bootstrapping process for a Rails application;
* manages rails command line interface;
* provides Rails generators core;

——————————————————————————–
Update Information:

Upgrade to Ruby on Rails 6.0.3.3. Fixes CVEs: #1877568 #1831529 #1852381
——————————————————————————–
ChangeLog:

* Tue Sep 22 2020 Pavel Valena <pvalena@redhat.com> – 6.0.3.3-1
– Update to railties 6.0.3.3.
Resolves: rhbz#1877509
——————————————————————————–
References:

[ 1 ] Bug #1831529 – CVE-2020-5267 rubygem-actionview: views that use the `j` or `escape_javascript` methods are susceptible to XSS attacks [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1831529
[ 2 ] Bug #1852381 – CVE-2020-8185 rubygem-rails: untrusted users able to run pending migrations in production [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1852381
[ 3 ] Bug #1877568 – CVE-2020-15169 rubygem-actionview: rubygem-activeview: Cross-site scripting in translation helpers [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1877568
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-4dd34860a3’ at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

——————————————————————————–
Fedora Update Notification
FEDORA-2020-4dd34860a3
2020-10-05 00:15:05.246453
——————————————————————————–

Name : rubygem-rails
Product : Fedora 33
Version : 6.0.3.3
Release : 1.fc33
URL : http://rubyonrails.org
Summary : Full-stack web application framework
Description :
Ruby on Rails is a full-stack web framework optimized for programmer happiness
and sustainable productivity. It encourages beautiful code by favoring
convention over configuration.

——————————————————————————–
Update Information:

Upgrade to Ruby on Rails 6.0.3.3. Fixes CVEs: #1877568 #1831529 #1852381
——————————————————————————–
ChangeLog:

* Fri Sep 18 2020 Pavel Valena <pvalena@redhat.com> – 1:6.0.3.3-1
– Update to rails 6.0.3.3.
Resolves: rhbz#1877515
——————————————————————————–
References:

[ 1 ] Bug #1831529 – CVE-2020-5267 rubygem-actionview: views that use the `j` or `escape_javascript` methods are susceptible to XSS attacks [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1831529
[ 2 ] Bug #1852381 – CVE-2020-8185 rubygem-rails: untrusted users able to run pending migrations in production [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1852381
[ 3 ] Bug #1877568 – CVE-2020-15169 rubygem-actionview: rubygem-activeview: Cross-site scripting in translation helpers [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1877568
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-4dd34860a3’ at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

——————————————————————————–
Fedora Update Notification
FEDORA-2020-4dd34860a3
2020-10-05 00:15:05.246453
——————————————————————————–

Name : rubygem-activestorage
Product : Fedora 33
Version : 6.0.3.3
Release : 1.fc33
URL : http://rubyonrails.org
Summary : Local and cloud file storage framework
Description :
Attach cloud and local files in Rails applications.

——————————————————————————–
Update Information:

Upgrade to Ruby on Rails 6.0.3.3. Fixes CVEs: #1877568 #1831529 #1852381
——————————————————————————–
ChangeLog:

* Tue Sep 22 2020 Pavel Valena <pvalena@redhat.com> – 6.0.3.3-1
– Update to activestorage 6.0.3.3.
Resolves: rhbz#1877544
——————————————————————————–
References:

[ 1 ] Bug #1831529 – CVE-2020-5267 rubygem-actionview: views that use the `j` or `escape_javascript` methods are susceptible to XSS attacks [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1831529
[ 2 ] Bug #1852381 – CVE-2020-8185 rubygem-rails: untrusted users able to run pending migrations in production [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1852381
[ 3 ] Bug #1877568 – CVE-2020-15169 rubygem-actionview: rubygem-activeview: Cross-site scripting in translation helpers [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1877568
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-4dd34860a3’ at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

——————————————————————————–
Fedora Update Notification
FEDORA-2020-4dd34860a3
2020-10-05 00:15:05.246453
——————————————————————————–

Name : rubygem-actionmailer
Product : Fedora 33
Version : 6.0.3.3
Release : 1.fc33
URL : https://rubyonrails.org
Summary : Email composition and delivery framework (part of Rails)
Description :
Email on Rails. Compose, deliver, and test emails using the familiar
controller/view pattern. First-class support for multipart email and
attachments.

——————————————————————————–
Update Information:

Upgrade to Ruby on Rails 6.0.3.3. Fixes CVEs: #1877568 #1831529 #1852381
——————————————————————————–
ChangeLog:

* Tue Sep 22 2020 Pavel Valena <pvalena@redhat.com> – 1:6.0.3.3-1
– Update to actionmailer 6.0.3.3.
Resolves: rhbz#1877505
——————————————————————————–
References:

[ 1 ] Bug #1831529 – CVE-2020-5267 rubygem-actionview: views that use the `j` or `escape_javascript` methods are susceptible to XSS attacks [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1831529
[ 2 ] Bug #1852381 – CVE-2020-8185 rubygem-rails: untrusted users able to run pending migrations in production [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1852381
[ 3 ] Bug #1877568 – CVE-2020-15169 rubygem-actionview: rubygem-activeview: Cross-site scripting in translation helpers [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1877568
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-4dd34860a3’ at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

——————————————————————————–
Fedora Update Notification
FEDORA-2020-4dd34860a3
2020-10-05 00:15:05.246453
——————————————————————————–

Name : rubygem-activesupport
Product : Fedora 33
Version : 6.0.3.3
Release : 1.fc33
URL : http://rubyonrails.org
Summary : A support libraries and Ruby core extensions extracted from the Rails framework
Description :
A toolkit of support libraries and Ruby core extensions extracted from the
Rails framework. Rich support for multibyte strings, internationalization,
time zones, and testing.

——————————————————————————–
Update Information:

Upgrade to Ruby on Rails 6.0.3.3. Fixes CVEs: #1877568 #1831529 #1852381
——————————————————————————–
ChangeLog:

* Fri Sep 18 2020 Pavel Valena <pvalena@redhat.com> – 1:6.0.3.3-1
– Update to activesupport 6.0.3.3.
Resolves: rhbz#1877502
– Fix evaluator test from web-console.
– Properly fix flaky `FileStoreTest#test_filename_max_size` test case.
——————————————————————————–
References:

[ 1 ] Bug #1831529 – CVE-2020-5267 rubygem-actionview: views that use the `j` or `escape_javascript` methods are susceptible to XSS attacks [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1831529
[ 2 ] Bug #1852381 – CVE-2020-8185 rubygem-rails: untrusted users able to run pending migrations in production [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1852381
[ 3 ] Bug #1877568 – CVE-2020-15169 rubygem-actionview: rubygem-activeview: Cross-site scripting in translation helpers [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1877568
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-4dd34860a3’ at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

——————————————————————————–
Fedora Update Notification
FEDORA-2020-4dd34860a3
2020-10-05 00:15:05.246453
——————————————————————————–

Name : rubygem-activejob
Product : Fedora 33
Version : 6.0.3.3
Release : 1.fc33
URL : http://rubyonrails.org
Summary : Job framework with pluggable queues
Description :
Declare job classes that can be run by a variety of queueing backends.

——————————————————————————–
Update Information:

Upgrade to Ruby on Rails 6.0.3.3. Fixes CVEs: #1877568 #1831529 #1852381
——————————————————————————–
ChangeLog:

* Fri Sep 18 2020 Pavel Valena <pvalena@redhat.com> – 6.0.3.3-1
– Update to activejob 6.0.3.3.
Resolves: rhbz#1877504
——————————————————————————–
References:

[ 1 ] Bug #1831529 – CVE-2020-5267 rubygem-actionview: views that use the `j` or `escape_javascript` methods are susceptible to XSS attacks [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1831529
[ 2 ] Bug #1852381 – CVE-2020-8185 rubygem-rails: untrusted users able to run pending migrations in production [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1852381
[ 3 ] Bug #1877568 – CVE-2020-15169 rubygem-actionview: rubygem-activeview: Cross-site scripting in translation helpers [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1877568
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-4dd34860a3’ at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

——————————————————————————–
Fedora Update Notification
FEDORA-2020-4dd34860a3
2020-10-05 00:15:05.246453
——————————————————————————–

Name : rubygem-image_processing
Product : Fedora 33
Version : 1.11.0
Release : 1.fc33
URL : https://github.com/janko/image_processing
Summary : High-level wrapper for processing images for the web with ImageMagick or libvips
Description :
High-level wrapper for processing images for the web with ImageMagick or
libvips.

——————————————————————————–
Update Information:

Upgrade to Ruby on Rails 6.0.3.3. Fixes CVEs: #1877568 #1831529 #1852381
——————————————————————————–
ChangeLog:

——————————————————————————–
References:

[ 1 ] Bug #1831529 – CVE-2020-5267 rubygem-actionview: views that use the `j` or `escape_javascript` methods are susceptible to XSS attacks [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1831529
[ 2 ] Bug #1852381 – CVE-2020-8185 rubygem-rails: untrusted users able to run pending migrations in production [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1852381
[ 3 ] Bug #1877568 – CVE-2020-15169 rubygem-actionview: rubygem-activeview: Cross-site scripting in translation helpers [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1877568
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-4dd34860a3’ at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

——————————————————————————–
Fedora Update Notification
FEDORA-2020-4dd34860a3
2020-10-05 00:15:05.246453
——————————————————————————–

Name : rubygem-activerecord
Product : Fedora 33
Version : 6.0.3.3
Release : 1.fc33
URL : http://rubyonrails.org
Summary : Object-relational mapper framework (part of Rails)
Description :
Implements the ActiveRecord pattern (Fowler, PoEAA) for ORM. It ties database
tables and classes together for business objects, like Customer or
Subscription, that can find, save, and destroy themselves without resorting to
manual SQL.

——————————————————————————–
Update Information:

Upgrade to Ruby on Rails 6.0.3.3. Fixes CVEs: #1877568 #1831529 #1852381
——————————————————————————–
ChangeLog:

* Tue Sep 22 2020 Pavel Valena <pvalena@redhat.com> – 1:6.0.3.3-1
– Update to activerecord 6.0.3.3.
Resolves: rhbz#1877501
——————————————————————————–
References:

[ 1 ] Bug #1831529 – CVE-2020-5267 rubygem-actionview: views that use the `j` or `escape_javascript` methods are susceptible to XSS attacks [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1831529
[ 2 ] Bug #1852381 – CVE-2020-8185 rubygem-rails: untrusted users able to run pending migrations in production [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1852381
[ 3 ] Bug #1877568 – CVE-2020-15169 rubygem-actionview: rubygem-activeview: Cross-site scripting in translation helpers [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1877568
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-4dd34860a3’ at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

——————————————————————————–
Fedora Update Notification
FEDORA-2020-4dd34860a3
2020-10-05 00:15:05.246453
——————————————————————————–

Name : rubygem-activemodel
Product : Fedora 33
Version : 6.0.3.3
Release : 1.fc33
URL : http://rubyonrails.org
Summary : A toolkit for building modeling frameworks (part of Rails)
Description :
A toolkit for building modeling frameworks like Active Record. Rich support
for attributes, callbacks, validations, serialization, internationalization,
and testing.

——————————————————————————–
Update Information:

Upgrade to Ruby on Rails 6.0.3.3. Fixes CVEs: #1877568 #1831529 #1852381
——————————————————————————–
ChangeLog:

* Fri Sep 18 2020 Pavel Valena <pvalena@redhat.com> – 6.0.3.3-1
– Update to activemodel 6.0.3.3.
Resolves: rhbz#1877543
——————————————————————————–
References:

[ 1 ] Bug #1831529 – CVE-2020-5267 rubygem-actionview: views that use the `j` or `escape_javascript` methods are susceptible to XSS attacks [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1831529
[ 2 ] Bug #1852381 – CVE-2020-8185 rubygem-rails: untrusted users able to run pending migrations in production [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1852381
[ 3 ] Bug #1877568 – CVE-2020-15169 rubygem-actionview: rubygem-activeview: Cross-site scripting in translation helpers [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1877568
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-4dd34860a3’ at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

——————————————————————————–
Fedora Update Notification
FEDORA-2020-4dd34860a3
2020-10-05 00:15:05.246453
——————————————————————————–

Name : rubygem-actionpack
Product : Fedora 33
Version : 6.0.3.3
Release : 2.fc33
URL : http://rubyonrails.org
Summary : Web-flow and rendering framework putting the VC in MVC (part of Rails)
Description :
Eases web-request routing, handling, and response as a half-way front,
half-way page controller. Implemented with specific emphasis on enabling easy
unit/integration testing that doesn’t require a browser.

——————————————————————————–
Update Information:

Upgrade to Ruby on Rails 6.0.3.3. Fixes CVEs: #1877568 #1831529 #1852381
——————————————————————————–
ChangeLog:

* Tue Sep 22 2020 Pavel Valena <pvalena@redhat.com> – 1:6.0.3.3-2
– Update to actionpack 6.0.3.3.
Resolves: rhbz#1877506
– Run the test suite above the currently built ActionPack.
——————————————————————————–
References:

[ 1 ] Bug #1831529 – CVE-2020-5267 rubygem-actionview: views that use the `j` or `escape_javascript` methods are susceptible to XSS attacks [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1831529
[ 2 ] Bug #1852381 – CVE-2020-8185 rubygem-rails: untrusted users able to run pending migrations in production [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1852381
[ 3 ] Bug #1877568 – CVE-2020-15169 rubygem-actionview: rubygem-activeview: Cross-site scripting in translation helpers [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1877568
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-4dd34860a3’ at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

——————————————————————————–
Fedora Update Notification
FEDORA-2020-4dd34860a3
2020-10-05 00:15:05.246453
——————————————————————————–

Name : rubygem-actionview
Product : Fedora 33
Version : 6.0.3.3
Release : 1.fc33
URL : http://rubyonrails.org
Summary : Rendering framework putting the V in MVC (part of Rails)
Description :
Simple, battle-tested conventions and helpers for building web pages.

——————————————————————————–
Update Information:

Upgrade to Ruby on Rails 6.0.3.3. Fixes CVEs: #1877568 #1831529 #1852381
——————————————————————————–
ChangeLog:

* Tue Sep 22 2020 Pavel Valena <pvalena@redhat.com> – 6.0.3.3-1
– Update to actionview 6.0.3.3.
Resolves: rhbz#1877500
——————————————————————————–
References:

[ 1 ] Bug #1831529 – CVE-2020-5267 rubygem-actionview: views that use the `j` or `escape_javascript` methods are susceptible to XSS attacks [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1831529
[ 2 ] Bug #1852381 – CVE-2020-8185 rubygem-rails: untrusted users able to run pending migrations in production [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1852381
[ 3 ] Bug #1877568 – CVE-2020-15169 rubygem-actionview: rubygem-activeview: Cross-site scripting in translation helpers [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1877568
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-4dd34860a3’ at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

——————————————————————————–
Fedora Update Notification
FEDORA-2020-4dd34860a3
2020-10-05 00:15:05.246453
——————————————————————————–

Name : rubygem-actiontext
Product : Fedora 33
Version : 6.0.3.3
Release : 1.fc33
URL : https://rubyonrails.org
Summary : Rich text framework
Description :
Edit and display rich text in Rails applications.

——————————————————————————–
Update Information:

Upgrade to Ruby on Rails 6.0.3.3. Fixes CVEs: #1877568 #1831529 #1852381
——————————————————————————–
ChangeLog:

* Tue Sep 22 2020 Pavel Valena <pvalena@redhat.com> – 6.0.3.3-1
– Update to actiontext 6.0.3.3.
Resolves: rhbz#1877508
——————————————————————————–
References:

[ 1 ] Bug #1831529 – CVE-2020-5267 rubygem-actionview: views that use the `j` or `escape_javascript` methods are susceptible to XSS attacks [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1831529
[ 2 ] Bug #1852381 – CVE-2020-8185 rubygem-rails: untrusted users able to run pending migrations in production [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1852381
[ 3 ] Bug #1877568 – CVE-2020-15169 rubygem-actionview: rubygem-activeview: Cross-site scripting in translation helpers [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1877568
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-4dd34860a3’ at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

——————————————————————————–
Fedora Update Notification
FEDORA-2020-4dd34860a3
2020-10-05 00:15:05.246453
——————————————————————————–

Name : rubygem-actionmailbox
Product : Fedora 33
Version : 6.0.3.3
Release : 1.fc33
URL : https://rubyonrails.org
Summary : Inbound email handling framework
Description :
Receive and process incoming emails in Rails applications.

——————————————————————————–
Update Information:

Upgrade to Ruby on Rails 6.0.3.3. Fixes CVEs: #1877568 #1831529 #1852381
——————————————————————————–
ChangeLog:

* Tue Sep 22 2020 Pavel Valena <pvalena@redhat.com> – 6.0.3.3-1
– Update to actionmailbox 6.0.3.3.
Resolves: rhbz#1877507
——————————————————————————–
References:

[ 1 ] Bug #1831529 – CVE-2020-5267 rubygem-actionview: views that use the `j` or `escape_javascript` methods are susceptible to XSS attacks [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1831529
[ 2 ] Bug #1852381 – CVE-2020-8185 rubygem-rails: untrusted users able to run pending migrations in production [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1852381
[ 3 ] Bug #1877568 – CVE-2020-15169 rubygem-actionview: rubygem-activeview: Cross-site scripting in translation helpers [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1877568
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-4dd34860a3’ at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

——————————————————————————–
Fedora Update Notification
FEDORA-2020-4dd34860a3
2020-10-05 00:15:05.246453
——————————————————————————–

Name : rubygem-actioncable
Product : Fedora 33
Version : 6.0.3.3
Release : 1.fc33
URL : http://rubyonrails.org
Summary : WebSocket framework for Rails
Description :
Structure many real-time application concerns into channels over a single
WebSocket connection.

——————————————————————————–
Update Information:

Upgrade to Ruby on Rails 6.0.3.3. Fixes CVEs: #1877568 #1831529 #1852381
——————————————————————————–
ChangeLog:

* Tue Sep 22 2020 Pavel Valena <pvalena@redhat.com> – 6.0.3.3-1
– Update to actioncable 6.0.3.3.
Resolves: rhbz#1877503
——————————————————————————–
References:

[ 1 ] Bug #1831529 – CVE-2020-5267 rubygem-actionview: views that use the `j` or `escape_javascript` methods are susceptible to XSS attacks [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1831529
[ 2 ] Bug #1852381 – CVE-2020-8185 rubygem-rails: untrusted users able to run pending migrations in production [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1852381
[ 3 ] Bug #1877568 – CVE-2020-15169 rubygem-actionview: rubygem-activeview: Cross-site scripting in translation helpers [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1877568
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-4dd34860a3’ at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

AutorBruno Varga
Cert idNCERT-REF-2020-10-0001-ADV
CveCERT-CVE-DUMMY
ID izvornikaCERT-ORIGID-DUMMY
ProizvodCERT-DUMMY-PRODUCT
IzvorAdobe
Top
More in Preporuke
Sigurnosni nedostaci programskog paketa xawtv

Otkriveni su sigurnosni nedostaci u programskom paketu xawtv za operacijski sustav Fedora. Otkriveni nedostaci potencijalnim napadačima omogućuju otkrivanje osjetljivih informacija...

Close