Candidate: CVE-2012-3463
PublicDate: 2012-08-10 10:34:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3463
 http://www.openwall.com/lists/oss-security/2012/08/09/8
 https://groups.google.com/group/rubyonrails-security/msg/961e18e514527078?dmode=source&output=gplain
 http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/
Description:
 Cross-site scripting (XSS) vulnerability in
 actionpack/lib/action_view/helpers/form_tag_helper.rb in Ruby on Rails 3.x
 before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote
 attackers to inject arbitrary web script or HTML via the prompt field to
 the select_tag helper.
Ubuntu-Description:
Notes:
 tyhicks> 2.3.x is not affected
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684454
Priority: medium
Discovered-by:
Assigned-to:
CVSS: 

Patches_rails:
upstream_rails: not-affected
hardy_rails: not-affected
lucid_rails: not-affected
natty_rails: not-affected (2.3.5-1.2ubuntu1.1)
oneiric_rails: not-affected (contains no code)
precise_rails: not-affected (contains no code)
precise/esm_rails: DNE (precise was not-affected [contains no code])
quantal_rails: not-affected (contains no code)
raring_rails: not-affected (contains no code)
saucy_rails: not-affected (contains no code)
trusty_rails: not-affected (contains no code)
trusty/esm_rails: DNE (trusty was not-affected [contains no code])
utopic_rails: not-affected (contains no code)
vivid_rails: not-affected (contains no code)
vivid/stable-phone-overlay_rails: DNE
vivid/ubuntu-core_rails: DNE
wily_rails: not-affected (contains no code)
xenial_rails: not-affected (contains no code)
yakkety_rails: not-affected (contains no code)
zesty_rails: not-affected (contains no code)
artful_rails: not-affected (contains no code)
bionic_rails: not-affected (contains no code)
cosmic_rails: not-affected (contains no code)
disco_rails: not-affected (contains no code)
devel_rails: not-affected (contains no code)

Patches_ruby-rails-2.3:
upstream_ruby-rails-2.3: not-affected
hardy_ruby-rails-2.3: DNE
lucid_ruby-rails-2.3: DNE
natty_ruby-rails-2.3: DNE
oneiric_ruby-rails-2.3: not-affected
precise_ruby-rails-2.3: not-affected
precise/esm_ruby-rails-2.3: DNE (precise was not-affected)
quantal_ruby-rails-2.3: not-affected
raring_ruby-rails-2.3: not-affected
saucy_ruby-rails-2.3: not-affected
trusty_ruby-rails-2.3: DNE
trusty/esm_ruby-rails-2.3: DNE
utopic_ruby-rails-2.3: DNE
vivid_ruby-rails-2.3: DNE
vivid/stable-phone-overlay_ruby-rails-2.3: DNE
vivid/ubuntu-core_ruby-rails-2.3: DNE
wily_ruby-rails-2.3: DNE
xenial_ruby-rails-2.3: DNE
yakkety_ruby-rails-2.3: DNE
zesty_ruby-rails-2.3: DNE
artful_ruby-rails-2.3: DNE
bionic_ruby-rails-2.3: DNE
cosmic_ruby-rails-2.3: DNE
disco_ruby-rails-2.3: DNE
devel_ruby-rails-2.3: DNE

Patches_ruby-actionpack-2.3:
upstream_ruby-actionpack-2.3: not-affected
hardy_ruby-actionpack-2.3: DNE
lucid_ruby-actionpack-2.3: DNE
natty_ruby-actionpack-2.3: DNE
oneiric_ruby-actionpack-2.3: not-affected
precise_ruby-actionpack-2.3: not-affected
precise/esm_ruby-actionpack-2.3: DNE (precise was not-affected)
quantal_ruby-actionpack-2.3: not-affected
raring_ruby-actionpack-2.3: not-affected
saucy_ruby-actionpack-2.3: not-affected
trusty_ruby-actionpack-2.3: DNE
trusty/esm_ruby-actionpack-2.3: DNE
utopic_ruby-actionpack-2.3: DNE
vivid_ruby-actionpack-2.3: DNE
vivid/stable-phone-overlay_ruby-actionpack-2.3: DNE
vivid/ubuntu-core_ruby-actionpack-2.3: DNE
wily_ruby-actionpack-2.3: DNE
xenial_ruby-actionpack-2.3: DNE
yakkety_ruby-actionpack-2.3: DNE
zesty_ruby-actionpack-2.3: DNE
artful_ruby-actionpack-2.3: DNE
bionic_ruby-actionpack-2.3: DNE
cosmic_ruby-actionpack-2.3: DNE
disco_ruby-actionpack-2.3: DNE
devel_ruby-actionpack-2.3: DNE

Patches_ruby-rails-3.2:
upstream_ruby-rails-3.2: not-affected
hardy_ruby-rails-3.2: DNE
lucid_ruby-rails-3.2: DNE
natty_ruby-rails-3.2: DNE
oneiric_ruby-rails-3.2: DNE
precise_ruby-rails-3.2: DNE
precise/esm_ruby-rails-3.2: DNE
quantal_ruby-rails-3.2: not-affected (code not present)
raring_ruby-rails-3.2: not-affected (code not present)
saucy_ruby-rails-3.2: not-affected (code not present)
trusty_ruby-rails-3.2: not-affected (code not present)
trusty/esm_ruby-rails-3.2: DNE (trusty was not-affected [code not present])
utopic_ruby-rails-3.2: DNE
vivid_ruby-rails-3.2: DNE
vivid/stable-phone-overlay_ruby-rails-3.2: DNE
vivid/ubuntu-core_ruby-rails-3.2: DNE
wily_ruby-rails-3.2: DNE
xenial_ruby-rails-3.2: DNE
yakkety_ruby-rails-3.2: DNE
zesty_ruby-rails-3.2: DNE
artful_ruby-rails-3.2: DNE
bionic_ruby-rails-3.2: DNE
cosmic_ruby-rails-3.2: DNE
disco_ruby-rails-3.2: DNE
devel_ruby-rails-3.2: DNE

Patches_ruby-actionpack-3.2:
upstream_ruby-actionpack-3.2: needed
hardy_ruby-actionpack-3.2: DNE
lucid_ruby-actionpack-3.2: DNE
natty_ruby-actionpack-3.2: DNE
oneiric_ruby-actionpack-3.2: DNE
precise_ruby-actionpack-3.2: DNE
precise/esm_ruby-actionpack-3.2: DNE
quantal_ruby-actionpack-3.2: ignored (reached end-of-life)
raring_ruby-actionpack-3.2: ignored (reached end-of-life)
saucy_ruby-actionpack-3.2: ignored (reached end-of-life)
trusty_ruby-actionpack-3.2: ignored (reached end-of-life)
trusty/esm_ruby-actionpack-3.2: DNE (trusty was needed)
utopic_ruby-actionpack-3.2: DNE
vivid_ruby-actionpack-3.2: DNE
vivid/stable-phone-overlay_ruby-actionpack-3.2: DNE
vivid/ubuntu-core_ruby-actionpack-3.2: DNE
wily_ruby-actionpack-3.2: DNE
xenial_ruby-actionpack-3.2: DNE
yakkety_ruby-actionpack-3.2: DNE
zesty_ruby-actionpack-3.2: DNE
artful_ruby-actionpack-3.2: DNE
bionic_ruby-actionpack-3.2: DNE
cosmic_ruby-actionpack-3.2: DNE
disco_ruby-actionpack-3.2: DNE
devel_ruby-actionpack-3.2: DNE