This repository has been archived by the owner on Dec 2, 2020. It is now read-only.

Upgrade Rails due to XSS vulnerability in Action View (CVE-2016-6316) #94

Closed

hubot opened this issue Aug 11, 2016 · 1 comment · Fixed by #96

Labels

hubot commented Aug 11, 2016

Heaven detected that rails is not < 3.0.0, >= 5.0.0.1, ~> 3.2.22.3, ~> 3.2.23, ~> 3.3, ~> 4.2.7.1, ~> 4.2.8, ~> 4.3

Your Gemfile.lock on the master branch currently is 3.2.22.2.

Can you folks fix this up? 💞

/cc https://github.com/github/security/issues/1875

hubot added the Security label

Member

jacobbednarz commented Aug 11, 2016

Thanks @hubot!

jacobbednarz added a commit that referenced this issue


          Upgrade to Rails 3.2.22.4

3cf165c

This bumps the version of Rails to 3.2.22.4 in order to mitigate
CVE-2016-6316[1]. The CVE is a fix to ensure that double quotes are
correctly sanitised for HTML output and cannot be used as XSS vector.

[1]: https://groups.google.com/forum/#!topic/ruby-security-ann/8B2iV2tPRSE

Fixes #94

jacobbednarz mentioned this issue

Upgrade to Rails 3.2.22.4 #96

Merged

jacobbednarz closed this as completed in #96

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.