Gentoo Archives: gentoo-announce

From: Sean Amoss <ackle@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] [ GLSA 201412-28 ] Ruby on Rails: Multiple vulnerabilities
Date: Sun, 14 Dec 2014 20:35:40
Message-Id: 548DF452.5020004@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201412-28
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: Ruby on Rails: Multiple vulnerabilities
9 Date: December 14, 2014
10 Bugs: #354249, #379511, #386377, #450974, #453844, #456840, #462452
11 ID: 201412-28
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities were found in Ruby on Rails, the worst of
19 which allowing for execution of arbitrary code.
20
21 Background
22 ==========
23
24 Ruby on Rails is a web-application and persistence framework.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 dev-ruby/rails < 2.3.18 >= 2.3.18 *
33 -------------------------------------------------------------------
34 NOTE: Packages marked with asterisks require manual intervention!
35
36 Description
37 ===========
38
39 Multiple vulnerabilities have been discovered in Ruby on Rails. Please
40 review the CVE identifiers referenced below for details.
41
42 Impact
43 ======
44
45 A remote attacker could execute arbitrary code or cause a Denial of
46 Service condition. Furthermore, a remote attacker may be able to
47 execute arbitrary SQL commands, change parameter names for form inputs
48 and make changes to arbitrary records in the system, bypass intended
49 access restrictions, render arbitrary views, inject arbitrary web
50 script or HTML, or conduct cross-site request forgery (CSRF) attacks.
51
52 Workaround
53 ==========
54
55 There is no known workaround at this time.
56
57 Resolution
58 ==========
59
60 All Ruby on Rails 2.x users should upgrade to the latest version:
61
62 # emerge --sync
63 # emerge --ask --oneshot --verbose ">=dev-ruby/rails-2.3.18"
64
65 NOTE: All applications using Ruby on Rails should also be configured to
66 use the latest version available by running "rake rails:update" inside
67 the application directory.
68
69 NOTE: This is a legacy GLSA and stable updates for Ruby on Rails,
70 including the unaffected version listed above, are no longer available
71 from Gentoo. It may be possible to upgrade to the 3.2, 4.0, or 4.1
72 branches, however these packages are not currently stable.
73
74 References
75 ==========
76
77 [ 1 ] CVE-2010-3933
78 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3933
79 [ 2 ] CVE-2011-0446
80 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0446
81 [ 3 ] CVE-2011-0447
82 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0447
83 [ 4 ] CVE-2011-0448
84 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0448
85 [ 5 ] CVE-2011-0449
86 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0449
87 [ 6 ] CVE-2011-2929
88 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2929
89 [ 7 ] CVE-2011-2930
90 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2930
91 [ 8 ] CVE-2011-2931
92 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2931
93 [ 9 ] CVE-2011-2932
94 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2932
95 [ 10 ] CVE-2011-3186
96 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3186
97 [ 11 ] CVE-2013-0155
98 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0155
99 [ 12 ] CVE-2013-0156
100 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0156
101 [ 13 ] CVE-2013-0276
102 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0276
103 [ 14 ] CVE-2013-0277
104 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0277
105 [ 15 ] CVE-2013-0333
106 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0333
107 [ 16 ] CVE-2013-1854
108 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1854
109 [ 17 ] CVE-2013-1855
110 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1855
111 [ 18 ] CVE-2013-1856
112 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1856
113 [ 19 ] CVE-2013-1857
114 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1857
115
116 Availability
117 ============
118
119 This GLSA and any updates to it are available for viewing at
120 the Gentoo Security Website:
121
122 http://security.gentoo.org/glsa/glsa-201412-28.xml
123
124 Concerns?
125 =========
126
127 Security is a primary focus of Gentoo Linux and ensuring the
128 confidentiality and security of our users' machines is of utmost
129 importance to us. Any security concerns should be addressed to
130 security@g.o or alternatively, you may file a bug at
131 https://bugs.gentoo.org.
132
133 License
134 =======
135
136 Copyright 2014 Gentoo Foundation, Inc; referenced text
137 belongs to its owner(s).
138
139 The contents of this document are licensed under the
140 Creative Commons - Attribution / Share Alike license.
141
142 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature