[Secure-testing-team] Bug#731288: ruby-actionpack-3.2: multiple vulnerabilities [CVE-2013-6414 CVE-2013-4491 CVE-2013-6415 CVE-2013-6417 CVE-2013-6416]
Antonio Terceiro
terceiro at debian.org
Wed Dec 4 01:06:20 UTC 2013
Package: ruby-actionpack-3.2
Severity: grave
Tags: security upstream patch
Justification: user security hole
Control: clone -1 -2 -3
Control: reassign -2 ruby-actionpack-2.3
Control: retitle -2 ruby-actionpack-2.3: multiple vulnerabilities [CVE-2013-6414 CVE-2013-4491 CVE-2013-6415 CVE-2013-6417 CVE-2013-6416]
Control: reassign -3 ruby-actionpack-4.0
Control: retitle -3 ruby-actionpack-4.0: multiple vulnerabilities [CVE-2013-6414 CVE-2013-4491 CVE-2013-6415 CVE-2013-6417 CVE-2013-6416]
New vulnerabilities were just disclosed in the rubyonrails-security mailing
list. Not all of them apply to all packages and versions, but most of them do.
Fixes fox Rails 2.3 were not provided so they will be a little harder to come
up with.
[CVE-2013-6414] Denial of Service Vulnerability in Action View
https://groups.google.com/forum/#!topic/rubyonrails-security/A-ebV4WxzKg
[CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails
https://groups.google.com/forum/#!topic/rubyonrails-security/pLrh6DUw998
[CVE-2013-6415] XSS Vulnerability in number_to_currency
https://groups.google.com/forum/#!topic/rubyonrails-security/9WiRn2nhfq0
[CVE-2013-6417] Incomplete fix to CVE-2013-0155 (Unsafe Query Generation
Risk)
https://groups.google.com/forum/#!topic/rubyonrails-security/niK4drpSHT4
[CVE-2013-6416] XSS Vulnerability in simple_format helper
https://groups.google.com/forum/#!topic/rubyonrails-security/5ZI1-H5OoIM
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.11-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages ruby-actionpack-3.2 depends on:
ii ruby 1:1.9.3
ii ruby-activemodel-3.2 3.2.13-5
ii ruby-activerecord-3.2 3.2.13-4
ii ruby-activesupport-3.2 3.2.13-3
ii ruby-builder 3.2.0-1
ii ruby-erubis 2.7.0-2
ii ruby-journey 1.0.4-1
ii ruby-rack 1:1.4.5-1
ii ruby-rack-cache 1.2-2
ii ruby-rack-test 0.6.2-1
ii ruby-sprockets 2.4.3-1
ii ruby-tzinfo 1.0.1-1
ii ruby1.8 [ruby-interpreter] 1.8.7.358-9
ii ruby1.9.1 [ruby-interpreter] 1.9.3.484-1
ii ruby2.0 [ruby-interpreter] 2.0.0.353-1
ruby-actionpack-3.2 recommends no packages.
ruby-actionpack-3.2 suggests no packages.
-- no debconf information
--
Antonio Terceiro <terceiro at debian.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20131203/c4527b71/attachment.sig>
More information about the Secure-testing-team
mailing list