关键漏洞信息 漏洞名称和编号 - Bug 731435 (CVE-2011-2932) - CVE-2011-2932 rubygem-activesupport: XSS vulnerability in escaping function (Ruby on Rails) 漏洞描述 - An XSS vulnerability in the escaping code used by Ruby on Rails was reported where, using a specially crafted malformed unicode string, an attacker can bypass the escaping code. Due to a bug in the Ruby 1.8 regular expression code, the Ruby on Rails replacement for ERB uses which fails to escape certain malformed unicode strings. These strings can then be interpreted as HTML by some browsers. 受影响的版本 - rubygem-activesupport 2.3.13, 2.3.10, and 3.1.0rc5 - Only affects platforms using Ruby 1.8.x (Ruby 1.9.x renders this ineffective). 修复版本 - rubygem-activesupport 2.3.13, 3.0.10, 3.1.0 CVE编号 - CVE-2011-2932 已发布的安全公告 - https://admin.fedoraproject.org/updates/rubygem-activesupport-2.3.8-4.fc14 - https://admin.fedoraproject.org/updates/rubygem-activesupport-3.0.5-4.fc15 相关Fedora版本 - Fedora-14 - Fedora-15 - EPEL 5 stable repository 报告和修复时间 - Reported: 2011-08-17 - Last Closed: 2013-01-16 状态 - Closed ERRATA