Alerts This Week
Warning Icon 1 640
Alerts This Week
Warning Icon 1 640

Red Hat 6: RHSA-2014:0510-01 Moderate: Ruby ActionPack Directory Flaw

red hat
Calendar Grey May 15, 2014
Dist Redhat Esm H88
Enhanced ruby193-rubygem-actionpack components to resolve a critical directory traversal vulnerability in Ruby on Rails specifically for Red Hat users.
Updated ruby193-rubygem-actionpack packages that fix one security issue are now available for Red Hat Software Collections 1

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258

Summary

Ruby on Rails is a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.
A directory traversal flaw was found in the way Ruby on Rails handled wildcard segments in routes with implicit rendering. A remote attacker could use this flaw to retrieve arbitrary local files accessible to a Ruby on Rails application using the aforementioned routes via a specially crafted request. (CVE-2014-0130)
All ruby193-rubygem-actionpack users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.

References

https://access.redhat.com/security/cve/CVE-2014-0130 https://access.redhat.com/security/updates/classification/#moderate

Package List

Red Hat Software Collections for RHEL 6 Server:
Source:
noarch: ruby193-rubygem-actionpack-3.2.8-5.5.el6.noarch.rpm ruby193-rubygem-actionpack-doc-3.2.8-5.5.el6.noarch.rpm
Red Hat Software Collections for RHEL 6 Workstation:
Source:
noarch: ruby193-rubygem-actionpack-3.2.8-5.5.el6.noarch.rpm ruby193-rubygem-actionpack-doc-3.2.8-5.5.el6.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package


Advisory ID: RHSA-2014:0510-01
Product: Red Hat Software Collections
Issue date: 2014-05-15

Topic

Updated ruby193-rubygem-actionpack packages that fix one security issue arenow available for Red Hat Software Collections 1.The Red Hat Security Response Team has rated this update as having Moderatesecurity impact. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available from the CVE link inthe References section.

Relevant Releases Architectures

Red Hat Software Collections for RHEL 6 Server - noarch

Red Hat Software Collections for RHEL 6 Workstation - noarch

Bugs Fixed

1095105 - CVE-2014-0130 rubygem-actionpack: directory traversal issue

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here