[DRE-maint] Bug#697722: rails: CVE-2013-0156: Multiple vulnerabilities in parameter parsing in Action Pack
Antonio Terceiro
terceiro at debian.org
Wed Jan 9 18:02:04 UTC 2013
notfound 697722 2:2.3.14.2
found 697722 2.3.5-1.2+squeeze4
clone 697722 -1 -2
reassign -1 ruby-actionpack-2.3
reassign -2 ruby-actionpack-3.2
thanks
On Tue, Jan 08, 2013 at 11:42:46PM +0200, Henri Salo wrote:
> Package: rails
> Version: 2:2.3.14.2
> Severity: grave
> Tags: security
>
> http://www.openwall.com/lists/oss-security/2013/01/08/14
> https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion
>
> """
> Multiple vulnerabilities in parameter parsing in Action Pack
>
> There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. This vulnerability has been assigned the CVE identifier CVE-2013-0156.
>
> Versions Affected: ALL versions
> Not affected: NONE
> Fixed Versions: 3.2.11, 3.1.10, 3.0.19, 2.3.15
> <snip>
> """
>
> This probably affects squeeze and wheezy too. Please contact me in case you need any help!
Yes, this affects both squeeze and wheezy, but on different packages. A
fix for wheezy is under way, and wheezy will follow.
--
Antonio Terceiro <terceiro at debian.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20130109/aa4cafb4/attachment.pgp>
More information about the Pkg-ruby-extras-maintainers
mailing list