diaspora* security release 0.5.6.2 and 0.5.6.3

26 January 2016

We just released diaspora* version 0.5.6.2 and 0.5.6.3 which fixes

  • CVE-2016-0751 - Possible Object Leak and Denial of Service attack in Action Pack
  • CVE-2015-7581 - Object leak vulnerability for wildcard controller routes in Action Pack
  • CVE-2015-7576 - Timing attack vulnerability in basic authentication in Action Controller
  • CVE-2016-0752 - Possible Information Leak Vulnerability in Action View
  • CVE-2016-0753 - Possible Input Validation Circumvention in Active Model
  • CVE-2015-7577 - Nested attributes rejection proc bypass in Active Record
  • CVE-2015-7579 - XSS vulnerability in rails-html-sanitizer
  • CVE-2015-7578 - Possible XSS vulnerability in rails-html-sanitizer

The hotfix-hotfix 0.5.6.3 fixes a regression caused by one of the security fixes which we did not notice at first.

Updating

Please update as soon as possible. Update instructions are available as usual in the wiki.