Candidate: CVE-2014-0081
PublicDate: 2014-02-20 15:27:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0081
 https://groups.google.com/forum/message/raw?msg=rubyonrails-security/tfp6gZCtzr4/j8LUHmu7fIEJ
 http://openwall.com/lists/oss-security/2014/02/18/8
Description:
 Multiple cross-site scripting (XSS) vulnerabilities in
 actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before
 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote
 attackers to inject arbitrary web script or HTML via the (1) format, (2)
 negative_format, or (3) units parameter to the (a) number_to_currency, (b)
 number_to_percentage, or (c) number_to_human helper.
Ubuntu-Description:
Notes:
 mdeslaur> in Oneiric+, rails package is just for transition
Bugs:
Priority: medium
Discovered-by: Kevin Reintjes
Assigned-to:
CVSS: 

Patches_rails:
 upstream: https://groups.google.com/forum/message/raw?msg=rubyonrails-security/tfp6gZCtzr4/j8LUHmu7fIEJ
upstream_rails: released (4.0.3, 3.2.17)
lucid_rails: ignored (reached end-of-life)
precise_rails: not-affected (contains no code)
precise/esm_rails: DNE (precise was not-affected [contains no code])
quantal_rails: not-affected (contains no code)
saucy_rails: not-affected (contains no code)
trusty_rails: not-affected (contains no code)
trusty/esm_rails: DNE (trusty was not-affected [contains no code])
utopic_rails: not-affected (contains no code)
vivid_rails: not-affected (contains no code)
vivid/stable-phone-overlay_rails: DNE
vivid/ubuntu-core_rails: DNE
wily_rails: not-affected (contains no code)
xenial_rails: not-affected (contains no code)
yakkety_rails: not-affected (contains no code)
zesty_rails: not-affected (contains no code)
artful_rails: not-affected (contains no code)
bionic_rails: not-affected (contains no code)
cosmic_rails: not-affected (contains no code)
disco_rails: not-affected (contains no code)
devel_rails: not-affected (contains no code)

Patches_ruby-actionpack-2.3:
upstream_ruby-actionpack-2.3: ignored (reached end-of-life)
lucid_ruby-actionpack-2.3: DNE
precise_ruby-actionpack-2.3: ignored (reached end-of-life)
precise/esm_ruby-actionpack-2.3: DNE (precise was needed)
quantal_ruby-actionpack-2.3: ignored (reached end-of-life)
saucy_ruby-actionpack-2.3: ignored (reached end-of-life)
trusty_ruby-actionpack-2.3: DNE
trusty/esm_ruby-actionpack-2.3: DNE
utopic_ruby-actionpack-2.3: DNE
vivid_ruby-actionpack-2.3: DNE
vivid/stable-phone-overlay_ruby-actionpack-2.3: DNE
vivid/ubuntu-core_ruby-actionpack-2.3: DNE
wily_ruby-actionpack-2.3: DNE
xenial_ruby-actionpack-2.3: DNE
yakkety_ruby-actionpack-2.3: DNE
zesty_ruby-actionpack-2.3: DNE
artful_ruby-actionpack-2.3: DNE
bionic_ruby-actionpack-2.3: DNE
cosmic_ruby-actionpack-2.3: DNE
disco_ruby-actionpack-2.3: DNE
devel_ruby-actionpack-2.3: DNE

Patches_ruby-actionpack-3.2:
 upstream: https://groups.google.com/forum/message/raw?msg=rubyonrails-security/tfp6gZCtzr4/j8LUHmu7fIEJ
upstream_ruby-actionpack-3.2: released (4.0.3, 3.2.17)
lucid_ruby-actionpack-3.2: DNE
precise_ruby-actionpack-3.2: DNE
precise/esm_ruby-actionpack-3.2: DNE
quantal_ruby-actionpack-3.2: ignored (reached end-of-life)
saucy_ruby-actionpack-3.2: ignored (reached end-of-life)
trusty_ruby-actionpack-3.2: ignored (reached end-of-life)
trusty/esm_ruby-actionpack-3.2: DNE (trusty was needed)
utopic_ruby-actionpack-3.2: DNE
vivid_ruby-actionpack-3.2: DNE
vivid/stable-phone-overlay_ruby-actionpack-3.2: DNE
vivid/ubuntu-core_ruby-actionpack-3.2: DNE
wily_ruby-actionpack-3.2: DNE
xenial_ruby-actionpack-3.2: DNE
yakkety_ruby-actionpack-3.2: DNE
zesty_ruby-actionpack-3.2: DNE
artful_ruby-actionpack-3.2: DNE
bionic_ruby-actionpack-3.2: DNE
cosmic_ruby-actionpack-3.2: DNE
disco_ruby-actionpack-3.2: DNE
devel_ruby-actionpack-3.2: DNE

Patches_rails-4.0:
 upstream: https://groups.google.com/forum/message/raw?msg=rubyonrails-security/tfp6gZCtzr4/j8LUHmu7fIEJ
upstream_rails-4.0: released (4.0.3, 3.2.17)
lucid_rails-4.0: DNE
precise_rails-4.0: DNE
precise/esm_rails-4.0: DNE
quantal_rails-4.0: DNE
saucy_rails-4.0: DNE
trusty_rails-4.0: ignored (reached end-of-life)
trusty/esm_rails-4.0: DNE (trusty was needed)
utopic_rails-4.0: ignored (reached end-of-life)
vivid_rails-4.0: DNE
vivid/stable-phone-overlay_rails-4.0: DNE
vivid/ubuntu-core_rails-4.0: DNE
wily_rails-4.0: DNE
xenial_rails-4.0: DNE
yakkety_rails-4.0: DNE
zesty_rails-4.0: DNE
artful_rails-4.0: DNE
bionic_rails-4.0: DNE
cosmic_rails-4.0: DNE
disco_rails-4.0: DNE
devel_rails-4.0: DNE