[DRE-maint] Bug#697722: rails: CVE-2013-0156: Multiple vulnerabilities in parameter parsing in Action Pack

Antonio Terceiro terceiro at debian.org
Wed Jan 9 18:02:04 UTC 2013


notfound 697722 2:2.3.14.2
found 697722 2.3.5-1.2+squeeze4
clone 697722 -1 -2
reassign -1 ruby-actionpack-2.3
reassign -2 ruby-actionpack-3.2
thanks

On Tue, Jan 08, 2013 at 11:42:46PM +0200, Henri Salo wrote:
> Package: rails
> Version: 2:2.3.14.2
> Severity: grave
> Tags: security
> 
> http://www.openwall.com/lists/oss-security/2013/01/08/14
> https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion
> 
> """
> Multiple vulnerabilities in parameter parsing in Action Pack 
> 
> There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. This vulnerability has been assigned the CVE identifier CVE-2013-0156. 
> 
> Versions Affected:  ALL versions 
> Not affected:       NONE 
> Fixed Versions:     3.2.11, 3.1.10, 3.0.19, 2.3.15 
> <snip>
> """
> 
> This probably affects squeeze and wheezy too. Please contact me in case you need any help!

Yes, this affects both squeeze and wheezy, but on different packages. A
fix for wheezy is under way, and wheezy will follow.

-- 
Antonio Terceiro <terceiro at debian.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20130109/aa4cafb4/attachment.pgp>


More information about the Pkg-ruby-extras-maintainers mailing list