Alerts This Week
Warning Icon 1 566
Alerts This Week
Warning Icon 1 566

openSUSE 11.4: 2013:0280-1 Important: Ruby On Rails Security Issues

opensuse
Calendar Grey February 12, 2013
Dist Opensuse Esm H88
The latest openSUSE 11.4 patch addresses significant Ruby on Rails security flaws. Vital updates are integrated to enhance overall protection.
An update that solves 5 vulnerabilities and has four fixes An update that solves 5 vulnerabilities and has four fixes An update that solves 5 vulnerabilities and has four fixes is ...

Description

This update updates the RubyOnRails 2.3 stack to 2.3.16.

Security and bugfixes were done, foremost: CVE-2013-0333: A

JSON sql/code injection problem was fixed. CVE-2012-5664: A

SQL Injection Vulnerability in Active Record was fixed.

CVE-2012-2695: A SQL injection via nested hashes in

conditions was fixed. CVE-2013-0155: Unsafe Query

Generation Risk in Ruby on Rails was fixed. CVE-2013-0156:

Multiple vulnerabilities in parameter parsing in Action

Pack were fixed. CVE-2012-5664: options hashes should only

be extracted if there are extra parameters CVE-2012-2695:

Fix SQL injection via nested hashes in conditions

CVE-2013-0156: Hash.from_xml raises when it encounters type="symbol" or type="yaml". Use Hash.from_trusted_xml to

parse this XM

Topics%20covered

Topics Covered

security advisory SQL injection important fix openSUSE ruby on rails action pack JSON injection

Patch

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

- openSUSE 11.4:

zypper in -t patch 2013-21

To bring your system up-to-date, use "zypper patch".

Package List

- openSUSE 11.4 (i586 x86_64):

rubygem-actionmailer-2_3-2.3.16-0.16.1

rubygem-actionmailer-2_3-doc-2.3.16-0.16.1

rubygem-actionmailer-2_3-testsuite-2.3.16-0.16.1

rubygem-actionpack-2_3-2.3.16-0.23.1

rubygem-actionpack-2_3-doc-2.3.16-0.23.1

rubygem-actionpack-2_3-testsuite-2.3.16-0.23.1

rubygem-activerecord-2_3-2.3.16-0.19.1

rubygem-activerecord-2_3-doc-2.3.16-0.19.1

rubygem-activerecord-2_3-testsuite-2.3.16-0.19.1

rubygem-activeresource-2_3-2.3.16-0.16.1

rubygem-activeresource-2_3-doc-2.3.16-0.16.1

rubygem-activeresource-2_3-testsuite-2.3.16-0.16.1

rubygem-activesupport-2_3-2.3.16-0.16.1

rubygem-activesupport-2_3-doc-2.3.16-0.16.1

rubygem-rack-1.1.5-0.8.1

rubygem-rails-2_3-2.3.16-0.12.1

rubygem-rails-2_3-doc-2.3.16-0.12.1

- openSUSE 11.4 (noarch):

rubygem-actionmailer-2.3.16-0.6.1

rubygem-actionpack-2.3.16-0.6.1

rubygem-activerecord-2.3.16-0.6.1

rubygem-activeresource-2.3.16-0.6.1

rubygem-activesupport-2.3.16-0.6.1

rubygem-rails-2.3.16-0.6.1

References

https://www.suse.com/security/cve/CVE-2012-2695.html

https://www.suse.com/security/cve/CVE-2012-5664.html

https://www.suse.com/security/cve/CVE-2013-0155.html

https://www.suse.com/security/cve/CVE-2013-0156.html

https://www.suse.com/security/cve/CVE-2013-0333.html

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2013:0280-1
Rating: important
Affected Products: openSUSE 11.4

Topics%20covered

Topics Covered

security advisory SQL injection important fix openSUSE ruby on rails action pack JSON injection

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here