Charlie Somerville

**Name of the Vulnerable Software and Affected Versions** Ruby versions 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2 **Description** A heap-based buffer overflow issue allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via a string that is converted to a floating point value. This can be demonstrated using the `to f` method or `JSON.parse`. **Recommendations** For Ruby version 1.8, update to a version that is not affected by this issue. For Ruby version 1.9 before 1.9.3-p484, update to version 1.9.3-p484 or later. For Ruby version 2.0 before 2.0.0-p353, update to version 2.0.0-p353 or later. For Ruby version 2.1 before 2.1.0 preview2, update to version 2.1.0 preview2 or later. As a temporary workaround, consider restricting the use of the `to f` method and `JSON.parse` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Ruby on Rails versions prior to 2.3.18 Ruby on Rails versions 3.0.x through 3.1.11 Ruby on Rails versions 3.2.x through 3.2.12 **Description** The issue arises from the `sanitize css` method in the Action Pack component, which fails to properly handle newline characters. This oversight allows remote attackers to conduct cross-site scripting (XSS) attacks by crafting malicious CSS token sequences. **Recommendations** For Ruby on Rails versions prior to 2.3.18, update to version 2.3.18 or later. For Ruby on Rails versions 3.0.x through 3.1.11, update to version 3.1.12 or later. For Ruby on Rails versions 3.2.x through 3.2.12, update to version 3.2.13 or later.

**Name of the Vulnerable Software and Affected Versions** Ruby on Rails versions 2.3.15 and earlier Ruby on Rails versions 3.0.x through 3.0.18 Ruby on Rails versions 3.1.x through 3.1.9 Ruby on Rails versions 3.2.x through 3.2.10 **Description** The issue allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service involving nested XML entity references, by leveraging Action Pack support for YAML type conversion or Symbol type conversion. This is due to the improper restriction of casts of string values in the `active support/core ext/hash/conversions.rb` file. **Recommendations** For Ruby on Rails version 2.3.15 and earlier, update to version 2.3.15 or later. For Ruby on Rails versions 3.0.x through 3.0.18, update to version 3.0.19 or later. For Ruby on Rails versions 3.1.x through 3.1.9, update to version 3.1.10 or later. For Ruby on Rails versions 3.2.x through 3.2.10, update to version 3.2.11 or later.

**Name of the Vulnerable Software and Affected Versions** Ruby on Rails versions 3.0.0 through 3.0.15 Ruby on Rails versions 3.1.0 through 3.1.6 Ruby on Rails versions 3.2.0 through 3.2.6 **Description** The issue allows remote attackers to cause a denial of service by leveraging access to an application that uses a `with http digest` helper method. This is demonstrated by the `authenticate or request with http digest` method, which is affected by the `decode credentials` method converting Digest Authentication strings to symbols. **Recommendations** For Ruby on Rails versions 3.0.0 through 3.0.15, update to version 3.0.16 or later. For Ruby on Rails versions 3.1.0 through 3.1.6, update to version 3.1.7 or later. For Ruby on Rails versions 3.2.0 through 3.2.6, update to version 3.2.7 or later.