Bug 668817 - VUL-0: ruby on rails multiple vulnerabilities
VUL-0: ruby on rails multiple vulnerabilities
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:11.3:44208 maint:relea...
Depends on:
  Show dependency treegraph
Reported: 2011-02-02 08:05 UTC by Ludwig Nussel
Modified: 2012-09-24 11:00 UTC (History)
5 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2011-02-02 08:05:48 UTC
Your friendly security team received the following report via vendor-sec.
Please respond ASAP.
This issue is not public yet, please keep any information about it inside SUSE.
Note that build.opensuse.org *cannot* be used to prepare embargoed updates.

CRD 8.2., 21h

* XSS Risk with mail_to (CVE-2011-0446)
Affected: >= 0.9.5

* CSRF Vulnerability in protect_from_forgery: (CVE-2011-0447)
Affected: >= 2.1.0

* SQL Injection Vulnerability with limit(): 3.0.x only (CVE-2011-0448)

Affected: >= 3.0.0

* Ability to skip filters with certain filesystem configurations (CVE-2011-0449)

Affected: >= 3.0.0 when deployed on a case-insensitive filesystem.
Comment 2 Thomas Biege 2011-02-04 10:34:47 UTC
p5->p3 mass change
Comment 4 Thomas Biege 2011-02-24 16:02:24 UTC
CVE-2011-0446: CVSS v2 Base Score: 5.8 (moderate) (AV:N/AC:M/Au:N/C:P/I:P/A:N): Cross-Site Scripting (XSS) (CWE-79)
CVE-2011-0447: CVSS v2 Base Score: 5.8 (moderate) (AV:N/AC:M/Au:N/C:P/I:P/A:N): Cross-Site Request Forgery (CSRF) (CWE-352)
CVE-2011-0448: CVSS v2 Base Score: 5.8 (moderate) (AV:A/AC:L/Au:N/C:P/I:P/A:P): SQL Injection (CWE-89)
CVE-2011-0449: CVSS v2 Base Score: 6.4 (moderate) (AV:N/AC:L/Au:N/C:P/I:P/A:N): Permissions, Privileges, and Access Control (CWE-264)
Comment 7 Marcus Rückert 2011-07-15 18:00:55 UTC
Comment 8 Marcus Rückert 2011-07-15 18:03:31 UTC
JFYI for sle10 you will also need the rubygem-activesupport-2_0 package that i submitted.
Comment 9 Swamp Workflow Management 2011-07-18 07:35:20 UTC
The SWAMPID for this issue is 42217.
This issue was rated as moderate.
Please submit fixed packages until 2011-08-01.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 17 Marcus Rückert 2011-11-07 22:19:15 UTC
should be all submitted now.
Comment 18 Swamp Workflow Management 2011-12-07 10:58:12 UTC
Update released for: rubygem-actionmailer, rubygem-actionmailer-2_3, rubygem-actionmailer-2_3-doc, rubygem-actionmailer-2_3-testsuite, rubygem-actionpack, rubygem-actionpack-2_3, rubygem-actionpack-2_3-doc, rubygem-actionpack-2_3-testsuite, rubygem-activerecord, rubygem-activerecord-2_3, rubygem-activerecord-2_3-doc, rubygem-activerecord-2_3-testsuite, rubygem-activeresource, rubygem-activeresource-2_3, rubygem-activeresource-2_3-doc, rubygem-activeresource-2_3-testsuite, rubygem-activesupport, rubygem-activesupport-2_3, rubygem-activesupport-2_3-doc, rubygem-rack, rubygem-rails, rubygem-rails-2_3, rubygem-rails-2_3-doc
openSUSE 11.3 (i586, x86_64)
openSUSE 11.4 (i586, x86_64)
Comment 19 Swamp Workflow Management 2012-03-13 22:43:05 UTC
Update released for: rubygem-actionpack-2_1, rubygem-activerecord-2_1
SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11-SP1-FOR-SP2 (i386, ia64, ppc64, s390x, x86_64)
Comment 20 Swamp Workflow Management 2012-03-30 13:26:27 UTC
Update released for: rubygem-actionmailer-2_3, rubygem-actionpack-2_3, rubygem-activerecord-2_3, rubygem-activeresource-2_3, rubygem-activesupport-2_3, rubygem-rack, rubygem-rack-doc, rubygem-rack-testsuite, rubygem-rails, rubygem-rails-2_3
SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SLMS 1.2 (x86_64)
SLE-WEBYAST 1.0-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-WEBYAST 1.2 (i386, ia64, ppc64, s390x, x86_64)
Comment 21 Marcus Meissner 2012-03-30 13:32:41 UTC
Comment 22 Swamp Workflow Management 2012-03-30 13:46:39 UTC
Update released for: hawk, hawk-debuginfo
SLE-HAE 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
Comment 23 Bernhard Wiedemann 2012-09-24 11:00:22 UTC
This is an autogenerated message for OBS integration:
This bug (668817) was mentioned in
https://build.opensuse.org/request/show/135622 Evergreen:11.2 / rubygem-actionmailer-2_3
https://build.opensuse.org/request/show/135624 Evergreen:11.2 / rubygem-actionpack-2_3
https://build.opensuse.org/request/show/135626 Evergreen:11.2 / rubygem-activerecord-2_3
https://build.opensuse.org/request/show/135628 Evergreen:11.2 / rubygem-activeresource-2_3
https://build.opensuse.org/request/show/135629 Evergreen:11.2 / rubygem-activesupport-2_3
https://build.opensuse.org/request/show/135632 Evergreen:11.2 / rubygem-rails-2_3