diaspora* security release 0.5.6.2 and 0.5.6.3
26 January 2016
We just released diaspora* version 0.5.6.2 and 0.5.6.3 which fixes
- CVE-2016-0751 - Possible Object Leak and Denial of Service attack in Action Pack
- CVE-2015-7581 - Object leak vulnerability for wildcard controller routes in Action Pack
- CVE-2015-7576 - Timing attack vulnerability in basic authentication in Action Controller
- CVE-2016-0752 - Possible Information Leak Vulnerability in Action View
- CVE-2016-0753 - Possible Input Validation Circumvention in Active Model
- CVE-2015-7577 - Nested attributes rejection proc bypass in Active Record
- CVE-2015-7579 - XSS vulnerability in rails-html-sanitizer
- CVE-2015-7578 - Possible XSS vulnerability in rails-html-sanitizer
The hotfix-hotfix 0.5.6.3 fixes a regression caused by one of the security fixes which we did not notice at first.
Please update as soon as possible. Update instructions are available as usual in the wiki.