Bugzilla – Bug 963335
VUL-0: CVE-2015-7581: rubygem-actionpack: unbounded memory growth DoS via wildcard controller routes
Last modified: 2017-09-11 16:05:41 UTC
EMBARGOED via distros CRD: 2016-01-25 Object leak vulnerability for wildcard controller routes in Action Pack There is an object leak vulnerability for wildcard controllers in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2015-7581. Versions Affected: >= 4.0.0 and < 5.0.0.beta1 Not affected: < 4.0.0, 5.0.0.beta1 and newer Fixed Versions: 4.2.5.1, 4.1.14.1 Impact ------ Users that have a route that contains the string ":controller" are susceptible to objects being leaked globally which can lead to unbounded memory growth. To identify if your application is vulnerable, look for routes that contain ":controller". Internally, Action Pack keeps a map of "url controller name" to "controller class name". This map is cached globally, and is populated even if the controller class doesn't actually exist. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- There are no feasible workarounds for this issue. Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 4-1-wildcard_route.patch - Patch for 4.1 series * 4-2-wildcard_route.patch - Patch for 4.2 series Please note that only the 4.1.x and 4.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
Created attachment 662996 [details] 4-2-wildcard_route.patch
Created attachment 662997 [details] 4-1-wildcard_route.patch
bugbot adjusting priority
public via http://seclists.org/oss-sec/2016/q1/209
to sum up, we need to update: Package |Repo (Products) ------------------------------------------------------------------------------ rubygem-actionpack-4_2: SUSE:SLE-12:Update (Portus build dependency) rubygem-actionpack-4_1: SUSE:SLE-11-SP3:Update:Cloud5:Test:Update (CLOUD5) rubygem-actionpack-3_2: SUSE:SLE-11-SP2:Update (SLMS, WEBYAST and STUDIO*) Portus**: SUSE:SLE-12:Update Studio***: SUSE:SLE-11-SP2:Update (*) rubygem-actionpack-3_2 rpm in studio is actually the webyast dependency. WebYast is installed on the studio onsite product and depends on that RPM. Studio also bundles the gem, but that is a different story. (**) It is build dependencies for Portus, so that we need to rebuild the package and release it (***)Studio it, so the patches need to be ported and the rpm rebuild.
Sorry I misread the first comment, the rpms that need to be updated are: Package |Repo (Products) ------------------------------------------------------------------------------ rubygem-actionpack-4_2: SUSE:SLE-12:Update (Portus build dependency) rubygem-actionpack-4_1: SUSE:SLE-11-SP3:Update:Cloud5:Test:Update (CLOUD5) Portus**: SUSE:SLE-12:Update (**) It is build dependencies for Portus, so that we need to rebuild the package and release it
Portus and studio bugs 963624 963625
This is an autogenerated message for OBS integration: This bug (963335) was mentioned in https://build.opensuse.org/request/show/356307 42.1 / rubygem-actionpack-4_2
All submissions done. Assigning to security-team.
openSUSE-SU-2016:0372-1: An update that fixes 6 vulnerabilities is now available. Category: security (moderate) Bug References: 963329,963330,963331,963332,963334,963335 CVE References: CVE-2015-7576,CVE-2015-7577,CVE-2015-7581,CVE-2016-0751,CVE-2016-0752,CVE-2016-0753 Sources used: openSUSE Leap 42.1 (src): rubygem-actionpack-4_2-4.2.4-6.1, rubygem-actionview-4_2-4.2.4-6.1, rubygem-activemodel-4_2-4.2.4-6.1, rubygem-activerecord-4_2-4.2.4-6.1, rubygem-activesupport-4_2-4.2.4-6.1
SUSE-SU-2016:0457-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 963329,963331,963332,963335 CVE References: CVE-2015-7576,CVE-2015-7581,CVE-2016-0751,CVE-2016-0752 Sources used: SUSE Enterprise Storage 2.1 (src): rubygem-actionpack-4_2-4.2.2-6.1
released
SUSE-SU-2016:0858-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 963329,963331,963332,963335 CVE References: CVE-2015-7576,CVE-2015-7581,CVE-2016-0751,CVE-2016-0752 Sources used: SUSE OpenStack Cloud 5 (src): rubygem-actionpack-4_1-4.1.9-9.1