Security update for Ruby On Rails
SUSE Security Update: Security update for Ruby On Rails
The Ruby on Rails stack has been updated to 2.3.17 to fix
various security issues and bugs.
The rails gems have been updated to fix:
* Unsafe Query Generation Risk in Ruby on Rails
(CVE-2013-0155)
* Multiple vulnerabilities in parameter parsing in
Action Pack (CVE-2013-0156)
* activerecord: SQL Injection (CVE-2012-5664)
* rails: Vulnerability in JSON Parser in Ruby on Rails
3.0 and 2.3 (CVE-2013-0333)
* activerecord: Circumvention of attr_protected
(CVE-2013-0276)
* activerecord: Serialized Attributes YAML
Vulnerability with Rails 2.3 and 3.0 (CVE-2013-0277)
Security Issue references:
* CVE-2012-5664
>
* CVE-2013-0155
>
* CVE-2013-0156
>
* CVE-2013-0277
>
* CVE-2013-0276
>
| Announcement ID: | SUSE-SU-2013:0486-1 |
| Rating: | important |
| References: | #796712 #797449 #797452 #800320 #803336 #803339 |
| Affected Products: |
An update that solves 5 vulnerabilities and has one errata is now available. It includes one version update.
Description:
The Ruby on Rails stack has been updated to 2.3.17 to fix
various security issues and bugs.
The rails gems have been updated to fix:
* Unsafe Query Generation Risk in Ruby on Rails
(CVE-2013-0155)
* Multiple vulnerabilities in parameter parsing in
Action Pack (CVE-2013-0156)
* activerecord: SQL Injection (CVE-2012-5664)
* rails: Vulnerability in JSON Parser in Ruby on Rails
3.0 and 2.3 (CVE-2013-0333)
* activerecord: Circumvention of attr_protected
(CVE-2013-0276)
* activerecord: Serialized Attributes YAML
Vulnerability with Rails 2.3 and 3.0 (CVE-2013-0277)
Security Issue references:
* CVE-2012-5664
* CVE-2013-0155
* CVE-2013-0156
* CVE-2013-0277
* CVE-2013-0276
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Software Development Kit 11 SP2:
zypper in -t patch sdksp2-rubygem-actionmailer-2_3-7363 - SUSE Cloud 1.0:
zypper in -t patch sleclo10sp2-rubygem-actionmailer-2_3-7363
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 2.3.17]:
- rubygem-actionmailer-2_3-2.3.17-0.9.1
- rubygem-actionpack-2_3-2.3.17-0.9.1
- rubygem-activerecord-2_3-2.3.17-0.9.1
- rubygem-activeresource-2_3-2.3.17-0.9.1
- rubygem-activesupport-2_3-2.3.17-0.9.1
- rubygem-rails-2_3-2.3.17-0.9.1
- SUSE Linux Enterprise Software Development Kit 11 SP2 (noarch) [New Version: 2.3.17]:
- rubygem-rails-2.3.17-0.8.1
- SUSE Cloud 1.0 (x86_64) [New Version: 2.3.17]:
- rubygem-actionmailer-2_3-2.3.17-0.9.1
- rubygem-actionpack-2_3-2.3.17-0.9.1
- rubygem-activerecord-2_3-2.3.17-0.9.1
- rubygem-activeresource-2_3-2.3.17-0.9.1
- rubygem-activesupport-2_3-2.3.17-0.9.1
- rubygem-rails-2_3-2.3.17-0.9.1
References:
- http://support.novell.com/security/cve/CVE-2012-5664.html
- http://support.novell.com/security/cve/CVE-2013-0155.html
- http://support.novell.com/security/cve/CVE-2013-0156.html
- http://support.novell.com/security/cve/CVE-2013-0276.html
- http://support.novell.com/security/cve/CVE-2013-0277.html
- https://bugzilla.novell.com/796712
- https://bugzilla.novell.com/797449
- https://bugzilla.novell.com/797452
- https://bugzilla.novell.com/800320
- https://bugzilla.novell.com/803336
- https://bugzilla.novell.com/803339
- http://download.suse.com/patch/finder/?keywords=262e345a7ecb482ffca687eedd6b610a