Upstream information
Description
Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain.NVD CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Novell/SUSE information
Novell Bugzilla entry: 564362 SUSE Security Advisories:- SUSE-SR:2010:005, published Tue, 23 Feb 2010 14:00:00 +0000
- SUSE-SR:2010:006, published Mon, 15 Mar 2010 11:11:00 +0000
- openSUSE-SU-2010:0186-1, published Fri, 16 Apr 2010 16:11:59 +0200 (CEST)
List of released packages
| Product(s) | Fixed package version(s) | References |
|---|---|---|
| SUSE Linux Enterprise SDK 11 GA |
| sle11-sdk.ia64 sle11-sdk.x86-64 sle11-sdk.s390x sle11-sdk.x86 sle11-sdk.ppc SAT Patch Nr: 1936 |
| openSUSE 11.0 |
| |
| openSUSE 11.1 |
| |
| openSUSE 11.2 |
| |
| SUSE Linux Enterprise SDK 10 SP2 |
| sle10-sp2-sdk.x86 sle10-sp2-sdk.s390x sle10-sp2-sdk.ia64 sle10-sp2-sdk.x86-64 sle10-sp2-sdk.ppc ZYPP Patch Nr: 6872 |
| SUSE Lifecycle Management Server SUSE Studio Onsite SUSE Webyast |
| slms1.x86-64 SAT Patch Nr: 2001 |
| SUSE Linux Enterprise SDK 10 SP3 |
| sle10-sp3-sdk.ia64 sle10-sp3-sdk.ppc sle10-sp3-sdk.x86 sle10-sp3-sdk.s390x sle10-sp3-sdk.x86-64 ZYPP Patch Nr: 6874 |
| openSUSE 11.2 |
|