Security update for Ruby on Rails

SUSE Security Update: Security update for Ruby on Rails
Announcement ID: SUSE-SU-2013:0707-1
Rating: moderate
References: #809932 #809935 #809940
Affected Products:
  • WebYaST 1.2
  • SUSE Studio Standard Edition 1.2
  • SUSE Studio Onsite 1.2
  • SUSE Studio Extension for System z 1.2
  • SUSE Linux Enterprise Software Development Kit 11 SP2
  • SUSE Cloud 1.0

  • An update that solves one vulnerability and has two fixes is now available. It includes one version update.

    Description:


    The Ruby on Rails 2.3 stack received security fixes for
    following issues:

    ActionPack:

    * CVE-2013-1855: A XSS vulnerability in sanitize_css in
    Action Pack was fixed (bnc#809935).
    * CVE-2013-1857: A XSS Vulnerability in the sanitize
    helper of Ruby on Rails was fixed (bnc#809940).

    ActiveRecord:

    * CVE-2013-1854: A Symbol DoS vulnerability in Active
    Record was fixed (bnc#809932).

    ActiveSupport:

    * CVE-2013-1854: A Symbol DoS vulnerability in Active
    Record was fixed (bnc#809932).

    Security Issue reference:

    * CVE-2013-1854
    >

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • WebYaST 1.2:
      zypper in -t patch slewyst12-rubyrails-2_3-201304-7590
    • SUSE Studio Standard Edition 1.2:
      zypper in -t patch sleslms12-rubyrails-2_3-201304-7590
    • SUSE Studio Onsite 1.2:
      zypper in -t patch slestso12-rubyrails-2_3-201304-7590
    • SUSE Studio Extension for System z 1.2:
      zypper in -t patch slestso12-rubyrails-2_3-201304-7590
    • SUSE Linux Enterprise Software Development Kit 11 SP2:
      zypper in -t patch sdksp2-rubyrails-2_3-201304-7589
    • SUSE Cloud 1.0:
      zypper in -t patch sleclo10sp2-rubyrails-2_3-201304-7589

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • WebYaST 1.2 (i586 ia64 ppc64 s390x x86_64) [New Version: 2.3.17]:
    • rubygem-actionpack-2_3-2.3.17-0.8.8.1
    • rubygem-activerecord-2_3-2.3.17-0.8.8.1
    • rubygem-activesupport-2_3-2.3.17-0.8.8.1
    • SUSE Studio Standard Edition 1.2 (x86_64) [New Version: 2.3.17]:
    • rubygem-actionpack-2_3-2.3.17-0.8.8.1
    • rubygem-activerecord-2_3-2.3.17-0.8.8.1
    • rubygem-activesupport-2_3-2.3.17-0.8.8.1
    • SUSE Studio Onsite 1.2 (x86_64) [New Version: 2.3.17]:
    • rubygem-actionpack-2_3-2.3.17-0.8.8.1
    • rubygem-activerecord-2_3-2.3.17-0.8.8.1
    • rubygem-activesupport-2_3-2.3.17-0.8.8.1
    • SUSE Studio Extension for System z 1.2 (s390x) [New Version: 2.3.17]:
    • rubygem-actionpack-2_3-2.3.17-0.8.8.1
    • rubygem-activerecord-2_3-2.3.17-0.8.8.1
    • rubygem-activesupport-2_3-2.3.17-0.8.8.1
    • SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 2.3.17]:
    • rubygem-actionpack-2_3-2.3.17-0.11.1
    • rubygem-activerecord-2_3-2.3.17-0.11.1
    • rubygem-activesupport-2_3-2.3.17-0.11.1
    • SUSE Cloud 1.0 (x86_64) [New Version: 2.3.17]:
    • rubygem-actionpack-2_3-2.3.17-0.11.1
    • rubygem-activerecord-2_3-2.3.17-0.11.1
    • rubygem-activesupport-2_3-2.3.17-0.11.1

    References:

    • http://support.novell.com/security/cve/CVE-2013-1854.html
    • https://bugzilla.novell.com/809932
    • https://bugzilla.novell.com/809935
    • https://bugzilla.novell.com/809940
    • http://download.suse.com/patch/finder/?keywords=087db4f44aa8af9e31e72ca7a4471ed7
    • http://download.suse.com/patch/finder/?keywords=e752b41dd60e41af5879ea236b7914bf