Bugzilla – Bug 668817
VUL-0: ruby on rails multiple vulnerabilities
Last modified: 2012-09-24 11:00:22 UTC
Your friendly security team received the following report via vendor-sec. Please respond ASAP. This issue is not public yet, please keep any information about it inside SUSE. Note that build.opensuse.org *cannot* be used to prepare embargoed updates. CRD 8.2., 21h * XSS Risk with mail_to (CVE-2011-0446) Affected: >= 0.9.5 * CSRF Vulnerability in protect_from_forgery: (CVE-2011-0447) Affected: >= 2.1.0 * SQL Injection Vulnerability with limit(): 3.0.x only (CVE-2011-0448) Affected: >= 3.0.0 * Ability to skip filters with certain filesystem configurations (CVE-2011-0449) Affected: >= 3.0.0 when deployed on a case-insensitive filesystem.
p5->p3 mass change
CVE-2011-0447: http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-February/007533.html This one is at least public.
CVE-2011-0446: CVSS v2 Base Score: 5.8 (moderate) (AV:N/AC:M/Au:N/C:P/I:P/A:N): Cross-Site Scripting (XSS) (CWE-79) CVE-2011-0447: CVSS v2 Base Score: 5.8 (moderate) (AV:N/AC:M/Au:N/C:P/I:P/A:N): Cross-Site Request Forgery (CSRF) (CWE-352) CVE-2011-0448: CVSS v2 Base Score: 5.8 (moderate) (AV:A/AC:L/Au:N/C:P/I:P/A:P): SQL Injection (CWE-89) CVE-2011-0449: CVSS v2 Base Score: 6.4 (moderate) (AV:N/AC:L/Au:N/C:P/I:P/A:N): Permissions, Privileges, and Access Control (CWE-264)
submitted.
JFYI for sle10 you will also need the rubygem-activesupport-2_0 package that i submitted.
The SWAMPID for this issue is 42217. This issue was rated as moderate. Please submit fixed packages until 2011-08-01. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
should be all submitted now.
Update released for: rubygem-actionmailer, rubygem-actionmailer-2_3, rubygem-actionmailer-2_3-doc, rubygem-actionmailer-2_3-testsuite, rubygem-actionpack, rubygem-actionpack-2_3, rubygem-actionpack-2_3-doc, rubygem-actionpack-2_3-testsuite, rubygem-activerecord, rubygem-activerecord-2_3, rubygem-activerecord-2_3-doc, rubygem-activerecord-2_3-testsuite, rubygem-activeresource, rubygem-activeresource-2_3, rubygem-activeresource-2_3-doc, rubygem-activeresource-2_3-testsuite, rubygem-activesupport, rubygem-activesupport-2_3, rubygem-activesupport-2_3-doc, rubygem-rack, rubygem-rails, rubygem-rails-2_3, rubygem-rails-2_3-doc Products: openSUSE 11.3 (i586, x86_64) openSUSE 11.4 (i586, x86_64)
Update released for: rubygem-actionpack-2_1, rubygem-activerecord-2_1 Products: SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SDK 11-SP1-FOR-SP2 (i386, ia64, ppc64, s390x, x86_64)
Update released for: rubygem-actionmailer-2_3, rubygem-actionpack-2_3, rubygem-activerecord-2_3, rubygem-activeresource-2_3, rubygem-activesupport-2_3, rubygem-rack, rubygem-rack-doc, rubygem-rack-testsuite, rubygem-rails, rubygem-rails-2_3 Products: SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SLMS 1.2 (x86_64) SLE-STUDIOONSITE 1.2 (x86_64) SLE-STUDIOONSITERUNNER 1.2 (s390x) SLE-WEBYAST 1.0-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-WEBYAST 1.2 (i386, ia64, ppc64, s390x, x86_64)
released!
Update released for: hawk, hawk-debuginfo Products: SLE-HAE 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
This is an autogenerated message for OBS integration: This bug (668817) was mentioned in https://build.opensuse.org/request/show/135622 Evergreen:11.2 / rubygem-actionmailer-2_3 https://build.opensuse.org/request/show/135624 Evergreen:11.2 / rubygem-actionpack-2_3 https://build.opensuse.org/request/show/135626 Evergreen:11.2 / rubygem-activerecord-2_3 https://build.opensuse.org/request/show/135628 Evergreen:11.2 / rubygem-activeresource-2_3 https://build.opensuse.org/request/show/135629 Evergreen:11.2 / rubygem-activesupport-2_3 https://build.opensuse.org/request/show/135632 Evergreen:11.2 / rubygem-rails-2_3