Security update for Ruby On Rails 3.2 stack
SUSE Security Update: Security update for Ruby On Rails 3.2 stack
The Ruby on Rails 3.2 stack has been updated to 3.2.12 to
fix various security issues and bugs:
* rubygem-actionmailer-3_2: has been updated to 3.2.12.
* rubygem-actionpack-3_2: has been updated to 3.2.12.
* rubygem-activeresource-3_2: has been updated to
3.2.12.
* rubygem-activesupport-3_2: has been updated to 3.2.12.
* rubygem-railties-3_2: has been updated to 3.2.12.
* rubygem-rails-3_2: has been updated to 3.2.12.
* rubygem-activemodel-3_2: has been updated to 3.2.12,
received a security fix for CVE-2013-0276: Fix issue with
attr_protected where malformed input could circumvent
protection
*
rubygem-activerecord-3_2: has been updated to 3.2.12,
received a security fix for CVE-2013-0276:
o
Quote numeric values being compared to
non-numeric columns. Otherwise, in some database, the
string column values will be coerced to a numeric allowing
0, 0.0 or false to match any string starting with a
non-digit.
Read more about this problem here
* A XSS in sanitize_css in Action Pack has been fixed
(CVE-2013-1855)
* A XSS Vulnerability in the sanitize helper of Ruby on
Rails Action Pack has been fixed (CVE-2013-1857)
* A Symbol DoS vulnerability in Active Record has been
fixed. (CVE-2013-1854)
* Also rubygem-rack-1_4 has been updated to 1.4.5
(bnc#802794 bnc#802795) o Fix CVE-2013-0263, timing attack
against Rack::Session::Cookie o Fix CVE-2013-0262, symlink
path traversal in Rack::File o update to 1.4.4 (bnc#798452)
+ [SEC] Rack::Auth::AbstractRequest no
longer symbolizes arbitrary strings (CVE-2013-0184) o
changes from 1.4.3
+ Security: Prevent unbounded reads in
large multipart boundaries (CVE-2013-0183) o changes from
1.4.2 (CVE-2012-6109)
+ Add warnings when users do not provide a
session secret
+ Fix parsing performance for unquoted
filenames
+ Updated URI backports
+ Fix URI backport version matching, and
silence constant warnings
+ Correct parameter parsing with empty
values
+ Correct rackup '-I' flag, to allow
multiple uses
+ Correct rackup pidfile handling
+ Report rackup line numbers correctly
+ Fix request loops caused by non-stale
nonces with time limits
+ Fix reloader on Windows
+ Prevent infinite recursions from
Response#to_ary
+ Various middleware better conforms to the
body close specification
+ Updated language for the body close
specification
+ Additional notes regarding ECMA escape
compatibility issues
+ Fix the parsing of multiple ranges in
range headers
+ Prevent errors from empty parameter keys
+ Added PATCH verb to Rack::Request
+ Various documentation updates
+ Fix session merge semantics (fixes
rack-test)
+ Rack::Static :index can now handle
multiple directories
+ All tests now utilize Rack::Lint (special
thanks to Lars Gierth)
+ Rack::File cache_control parameter is now
deprecated, and removed by 1.5
+ Correct Rack::Directory script name
escaping
+ Rack::Static supports header rules for
sophisticated configurations
+ Multipart parsing now works without a
Content-Length header
+ New logos courtesy of Zachary Scott!
+ Rack::BodyProxy now explicitly defines
#each, useful for C extensions
+ Cookies that are not URI escaped no
longer cause exceptions
Security Issues:
* CVE-2013-1854
>
| Announcement ID: | SUSE-SU-2013:0707-2 |
| Rating: | moderate |
| References: | #809932 #809935 #809940 |
| Affected Products: |
An update that solves one vulnerability and has two fixes is now available. It includes two new package versions.
Description:
The Ruby on Rails 3.2 stack has been updated to 3.2.12 to
fix various security issues and bugs:
* rubygem-actionmailer-3_2: has been updated to 3.2.12.
* rubygem-actionpack-3_2: has been updated to 3.2.12.
* rubygem-activeresource-3_2: has been updated to
3.2.12.
* rubygem-activesupport-3_2: has been updated to 3.2.12.
* rubygem-railties-3_2: has been updated to 3.2.12.
* rubygem-rails-3_2: has been updated to 3.2.12.
* rubygem-activemodel-3_2: has been updated to 3.2.12,
received a security fix for CVE-2013-0276: Fix issue with
attr_protected where malformed input could circumvent
protection
*
rubygem-activerecord-3_2: has been updated to 3.2.12,
received a security fix for CVE-2013-0276:
o
Quote numeric values being compared to
non-numeric columns. Otherwise, in some database, the
string column values will be coerced to a numeric allowing
0, 0.0 or false to match any string starting with a
non-digit.
Read more about this problem here
* A XSS in sanitize_css in Action Pack has been fixed
(CVE-2013-1855)
* A XSS Vulnerability in the sanitize helper of Ruby on
Rails Action Pack has been fixed (CVE-2013-1857)
* A Symbol DoS vulnerability in Active Record has been
fixed. (CVE-2013-1854)
* Also rubygem-rack-1_4 has been updated to 1.4.5
(bnc#802794 bnc#802795) o Fix CVE-2013-0263, timing attack
against Rack::Session::Cookie o Fix CVE-2013-0262, symlink
path traversal in Rack::File o update to 1.4.4 (bnc#798452)
+ [SEC] Rack::Auth::AbstractRequest no
longer symbolizes arbitrary strings (CVE-2013-0184) o
changes from 1.4.3
+ Security: Prevent unbounded reads in
large multipart boundaries (CVE-2013-0183) o changes from
1.4.2 (CVE-2012-6109)
+ Add warnings when users do not provide a
session secret
+ Fix parsing performance for unquoted
filenames
+ Updated URI backports
+ Fix URI backport version matching, and
silence constant warnings
+ Correct parameter parsing with empty
values
+ Correct rackup '-I' flag, to allow
multiple uses
+ Correct rackup pidfile handling
+ Report rackup line numbers correctly
+ Fix request loops caused by non-stale
nonces with time limits
+ Fix reloader on Windows
+ Prevent infinite recursions from
Response#to_ary
+ Various middleware better conforms to the
body close specification
+ Updated language for the body close
specification
+ Additional notes regarding ECMA escape
compatibility issues
+ Fix the parsing of multiple ranges in
range headers
+ Prevent errors from empty parameter keys
+ Added PATCH verb to Rack::Request
+ Various documentation updates
+ Fix session merge semantics (fixes
rack-test)
+ Rack::Static :index can now handle
multiple directories
+ All tests now utilize Rack::Lint (special
thanks to Lars Gierth)
+ Rack::File cache_control parameter is now
deprecated, and removed by 1.5
+ Correct Rack::Directory script name
escaping
+ Rack::Static supports header rules for
sophisticated configurations
+ Multipart parsing now works without a
Content-Length header
+ New logos courtesy of Zachary Scott!
+ Rack::BodyProxy now explicitly defines
#each, useful for C extensions
+ Cookies that are not URI escaped no
longer cause exceptions
Security Issues:
* CVE-2013-1854
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- WebYaST 1.3:
zypper in -t patch slewyst13-rubyrails-3_2-201304-7617 - SUSE Studio Onsite 1.3:
zypper in -t patch slestso13-rubyrails-3_2-201304-7617 - SUSE Linux Enterprise Software Development Kit 11 SP2:
zypper in -t patch sdksp2-rubyrails-3_2-201304-7617 - SUSE Lifecycle Management Server 1.3:
zypper in -t patch sleslms13-rubyrails-3_2-201304-7617
To bring your system up-to-date, use "zypper patch".
Package List:
- WebYaST 1.3 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.4.5 and 3.2.12]:
- rubygem-actionmailer-3_2-3.2.12-0.5.9
- rubygem-actionpack-3_2-3.2.12-0.7.1
- rubygem-activemodel-3_2-3.2.12-0.5.8
- rubygem-activerecord-3_2-3.2.12-0.7.1
- rubygem-activeresource-3_2-3.2.12-0.5.8
- rubygem-activesupport-3_2-3.2.12-0.5.8
- rubygem-rack-1_4-1.4.5-0.5.8
- rubygem-rails-3_2-3.2.12-0.5.10
- rubygem-railties-3_2-3.2.12-0.7.9
- SUSE Studio Onsite 1.3 (x86_64) [New Version: 1.4.5 and 3.2.12]:
- rubygem-actionmailer-3_2-3.2.12-0.5.9
- rubygem-actionpack-3_2-3.2.12-0.7.1
- rubygem-activemodel-3_2-3.2.12-0.5.8
- rubygem-activerecord-3_2-3.2.12-0.7.1
- rubygem-activeresource-3_2-3.2.12-0.5.8
- rubygem-activesupport-3_2-3.2.12-0.5.8
- rubygem-rack-1_4-1.4.5-0.5.8
- rubygem-rails-3_2-3.2.12-0.5.10
- rubygem-railties-3_2-3.2.12-0.7.9
- SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.4.5 and 3.2.12]:
- rubygem-activesupport-3_2-3.2.12-0.5.8
- rubygem-rack-1_4-1.4.5-0.5.8
- SUSE Lifecycle Management Server 1.3 (x86_64) [New Version: 1.4.5 and 3.2.12]:
- rubygem-actionmailer-3_2-3.2.12-0.5.9
- rubygem-actionpack-3_2-3.2.12-0.7.1
- rubygem-activemodel-3_2-3.2.12-0.5.8
- rubygem-activerecord-3_2-3.2.12-0.7.1
- rubygem-activeresource-3_2-3.2.12-0.5.8
- rubygem-activesupport-3_2-3.2.12-0.5.8
- rubygem-rack-1_4-1.4.5-0.5.8
- rubygem-rails-3_2-3.2.12-0.5.10
- rubygem-railties-3_2-3.2.12-0.7.9
References:
- http://support.novell.com/security/cve/CVE-2013-1854.html
- https://bugzilla.novell.com/809932
- https://bugzilla.novell.com/809935
- https://bugzilla.novell.com/809940
- http://download.suse.com/patch/finder/?keywords=fbe3a3e7096c7d4e58117c534e78345a