-
Notifications
You must be signed in to change notification settings - Fork 6
Critical Security Updates
###2016-02-29 - Update to mtdevise - version 2.0.1+
All security patches below carried on to version 2.0.
###2016-02-29 - Update to mtdevise - version 1.8.6
CVE-2016-2098 - There is a possible remote code execution vulnerability in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2016-2098. Applications that pass unverified user input to the render method in a controller or a view may be vulnerable to a code injection. Impacted code will look like this: ruby class TestController < ApplicationController def show render params[:id] end end An attacker could use the request parameters to coerce the above example to execute arbitrary ruby code.
###2016-01-28 - Update to mtdevise - version 1.7.8
Latest version addresses all the below issues.
CVE-2015-7576 - There is a timing attack vulnerability in the basic authentication support in Action Controller. This vulnerability has been assigned the CVE identifier CVE-2015-7576. Due to the way that Action Controller compares user names and passwords in basic authentication authorization code, it is possible for an attacker to analyze the time taken by a response and intuit the password.
CVE-2015-7580 - There is a possible XSS vulnerability in the white list sanitizer in the rails-html-sanitizer gem. This vulnerability has been assigned the CVE identifier CVE-2015-7580. Carefully crafted strings can cause user input to bypass the sanitization in the white list sanitizer which will can lead to an XSS attack
CVE-2015-7579 - There is a XSS vulnerability in Rails::Html::FullSanitizer used by Action View's strip_tags. This vulnerability has been assigned the CVE identifier CVE-2015-7579. Due to the way that Rails::Html::FullSanitizer is implemented, if an attacker passes an already escaped HTML entity to the input of Action View's strip_tags these entities will be unescaped what may cause a XSS attack if used in combination with raw or html_safe.
CVE-2016-0751 - There is a possible object leak which can lead to a denial of service vulnerability in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2016-0751. A carefully crafted accept header can cause a global cache of mime types to grow indefinitely which can lead to a possible denial of service attack in Action Pack.
CVE-2016-0752 - There is a possible directory traversal and information leak vulnerability in Action View. This vulnerability has been assigned the CVE identifier CVE-2016-0752. Applications that pass unverified user input to the render method in a controller may be vulnerable to an information leak vulnerability.
CVE-2016-0753 - There is a possible input validation circumvention vulnerability in Active Model. This vulnerability has been assigned the CVE identifier CVE-2016-0753. Code that uses Active Model based models (including Active Record models) and does not validate user input before passing it to the model can be subject to an attack where specially crafted input will cause the model to skip validations.
CVE-2015-7581 - There is an object leak vulnerability for wildcard controllers in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2015-7581. Users that have a route that contains the string ":controller" are susceptible to objects being leaked globally which can lead to unbounded memory growth. To identify if your application is vulnerable, look for routes that contain ":controller". Internally, Action Pack keeps a map of "url controller name" to "controller class name". This map is cached globally, and is populated even if the controller class doesn't actually exist.
###2016-01-21 - Update to mtdevise - version 1.7.5
A security bug (CVE-2015-8314) has been reported in Devise’s remember me system. Devise implements the “Remember me” functionality by using cookies. While this functionality works across multiple devices, Devise ended-up generating the same cookie for all devices. Consequently, if a malicious user was able to steal a remember me cookie, the cookie could be used to gain access to the application indefinitely unless the user changed his password (which may not be a frequent event). Although all Devise versions are vulnerable to this bug, the bug can only be exploited if the attacker can steal cookies in the first place. Regardless, we recommend all users to upgrade to the latest Devise version. Devise 3.5.4 has been released with a fix. This release adds a timestamp to the cookie, guaranteeing cookies can be expired on a case-by-case basis instead of an all or nothing approach.