Bug#731288: ruby-actionpack-3.2: multiple vulnerabilities [CVE-2013-6414 CVE-2013-4491 CVE-2013-6415 CVE-2013-6417 CVE-2013-6416]

Antonio Terceiro Tue, 03 Dec 2013 17:09:31 -0800

Package: ruby-actionpack-3.2
Severity: grave
Tags: security upstream patch
Justification: user security hole
Control: clone -1 -2 -3
Control: reassign -2 ruby-actionpack-2.3
Control: retitle -2 ruby-actionpack-2.3: multiple vulnerabilities 
[CVE-2013-6414 CVE-2013-4491 CVE-2013-6415 CVE-2013-6417 CVE-2013-6416]
Control: reassign -3 ruby-actionpack-4.0
Control: retitle -3 ruby-actionpack-4.0: multiple vulnerabilities 
[CVE-2013-6414 CVE-2013-4491 CVE-2013-6415 CVE-2013-6417 CVE-2013-6416]


New vulnerabilities were just disclosed in the rubyonrails-security mailing
list. Not all of them apply to all packages and versions, but most of them do.

Fixes fox Rails 2.3 were not provided so they will be a little harder to come
up with.

[CVE-2013-6414] Denial of Service Vulnerability in Action View
https://groups.google.com/forum/#!topic/rubyonrails-security/A-ebV4WxzKg

[CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails
https://groups.google.com/forum/#!topic/rubyonrails-security/pLrh6DUw998

[CVE-2013-6415] XSS Vulnerability in number_to_currency
https://groups.google.com/forum/#!topic/rubyonrails-security/9WiRn2nhfq0

[CVE-2013-6417] Incomplete fix to CVE-2013-0155 (Unsafe Query Generation
Risk)
https://groups.google.com/forum/#!topic/rubyonrails-security/niK4drpSHT4

[CVE-2013-6416] XSS Vulnerability in simple_format helper
https://groups.google.com/forum/#!topic/rubyonrails-security/5ZI1-H5OoIM


-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.11-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ruby-actionpack-3.2 depends on:
ii  ruby                          1:1.9.3
ii  ruby-activemodel-3.2          3.2.13-5
ii  ruby-activerecord-3.2         3.2.13-4
ii  ruby-activesupport-3.2        3.2.13-3
ii  ruby-builder                  3.2.0-1
ii  ruby-erubis                   2.7.0-2
ii  ruby-journey                  1.0.4-1
ii  ruby-rack                     1:1.4.5-1
ii  ruby-rack-cache               1.2-2
ii  ruby-rack-test                0.6.2-1
ii  ruby-sprockets                2.4.3-1
ii  ruby-tzinfo                   1.0.1-1
ii  ruby1.8 [ruby-interpreter]    1.8.7.358-9
ii  ruby1.9.1 [ruby-interpreter]  1.9.3.484-1
ii  ruby2.0 [ruby-interpreter]    2.0.0.353-1

ruby-actionpack-3.2 recommends no packages.

ruby-actionpack-3.2 suggests no packages.

-- no debconf information

-- 
Antonio Terceiro <terce...@debian.org>

signature.asc
Description: Digital signature

Bug#731288: ruby-actionpack-3.2: multiple vulnerabilities [CVE-2013-6414 CVE-2013-4491 CVE-2013-6415 CVE-2013-6417 CVE-2013-6416]

Reply via email to