lucid has seen the end of its life and is no longer receiving any
updates. Marking the lucid task for this ticket as "Won't Fix".
** Changed in: rails (Ubuntu Lucid)
Status: Triaged => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscr
Since there is nothing left to sponsor, I am unsubscribing ubuntu-
security-sponsors.
Please re-subscribe the team again if someone attaches a debdiff for
rails on lucid.
** Changed in: ruby-actionpack-3.2 (Ubuntu Quantal)
Status: Fix Committed => Fix Released
--
You received this bug no
** Branch linked: lp:~ubuntu-branches/ubuntu/quantal/ruby-
activerecord-3.2/quantal-security
** Branch linked: lp:ubuntu/oneiric-security/ruby-activerecord-2.3
** Branch linked: lp:~ubuntu-branches/ubuntu/precise/ruby-
activerecord-2.3/precise-security
** Branch linked: lp:~ubuntu-branches/ubunt
This bug was fixed in the package ruby-activerecord-2.3 -
2.3.14-1ubuntu0.11.10.1
---
ruby-activerecord-2.3 (2.3.14-1ubuntu0.11.10.1) oneiric-security; urgency=low
* SECURITY UPDATE: unsafe query generation risk (LP: #1100188)
- debian/patches/CVE-2013-0155.patch: added patch fr
This bug was fixed in the package ruby-activerecord-3.2 -
3.2.6-2ubuntu0.1
---
ruby-activerecord-3.2 (3.2.6-2ubuntu0.1) quantal-security; urgency=low
* SECURITY UPDATE: Unsafe Query Generation Risk in Ruby on Rails
(LP: #1100188)
- debian/patches/CVE-2013-0155: Strip nils fr
This bug was fixed in the package ruby-activerecord-2.3 -
2.3.14-1ubuntu0.12.04.1
---
ruby-activerecord-2.3 (2.3.14-1ubuntu0.12.04.1) precise-security; urgency=low
* SECURITY UPDATE: unsafe query generation risk (LP: #1100188)
- debian/patches/CVE-2013-0155.patch: added patch fr
This bug was fixed in the package ruby-activerecord-2.3 -
2.3.14-2ubuntu0.1
---
ruby-activerecord-2.3 (2.3.14-2ubuntu0.1) quantal-security; urgency=low
* SECURITY UPDATE: unsafe query generation risk (LP: #1100188)
- debian/patches/CVE-2013-0155.patch: added patch from Debian 2.
I've also uploaded fixed packages for ruby-activerecord-2.3. They will
be released shortly.
** Changed in: ruby-activerecord-2.3 (Ubuntu Oneiric)
Status: Triaged => Fix Committed
** Changed in: ruby-activerecord-2.3 (Ubuntu Precise)
Status: Triaged => Fix Committed
** Changed in: r
ACK on the debdiffs in comments 3 and 11. Packages are building now and
will be released shortly. Thanks!
** Changed in: ruby-activerecord-3.2 (Ubuntu Quantal)
Status: Triaged => Fix Committed
** Changed in: ruby-actionpack-3.2 (Ubuntu Quantal)
Status: Triaged => Fix Committed
--
Assigning Christian to ruby-actionpack-3.2 on quantal since he submitted
a debdiff.
** Changed in: ruby-actionpack-3.2 (Ubuntu Quantal)
Assignee: (unassigned) => Christian Kuersteiner (ckuerste)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscrib
Attaching the patch from duplicate bug #1100162 on Christian's behalf. I
have not reviewed it.
** Patch added: "fix for quantal ruby-actionpack-3.2"
https://bugs.launchpad.net/ubuntu/+source/ruby-activerecord-3.2/+bug/1100188/+attachment/3486595/+files/lp1100162-quantal.debdiff
--
You receiv
Per Debian, ruby-actionpack-2.3 not-affected.
** Also affects: ruby-activerecord-3.2 (Ubuntu Lucid)
Importance: Undecided
Status: New
** Also affects: ruby-activerecord-3.2 (Ubuntu Oneiric)
Importance: Undecided
Status: New
** Also affects: ruby-activerecord-3.2 (Ubuntu Quan
Note, people helping out with this bug may want to also look at bug
#1098357.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1100188
Title:
Unsafe Query Generation Risk in Ruby on Rails
To manage n
Raring has ruby-activerecord-2.3 2.3.14-4 now
** Changed in: ruby-activerecord-2.3 (Ubuntu Raring)
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1100188
Title:
This should now be triaged for our packages based on Debian's https
://security-tracker.debian.org/tracker/CVE-2013-0155. As Marc said,
since the packages referred to in this bug is in universe or multiverse,
it is community maintained. When a debdiffs are available, members of
the security team wi
Raring ruby-activerecord-3.2 was fixed in 3.2.6-4.
** Changed in: ruby-activerecord-3.2 (Ubuntu Raring)
Status: Confirmed => Fix Released
** Changed in: ruby-activerecord-3.2 (Ubuntu Quantal)
Status: New => Triaged
** Changed in: ruby-activerecord-2.3 (Ubuntu Quantal)
Assignee
ruby-activerecord-2.3 is fixed in Debian's 2.3.14-4. Raring just needs a
sync.
** Changed in: ruby-actionpack-3.2 (Ubuntu Oneiric)
Status: Triaged => Invalid
** Changed in: ruby-actionpack-3.2 (Ubuntu Precise)
Status: Triaged => Invalid
** Changed in: ruby-activerecord-3.2 (Ubuntu
Raring ruby-actionpack-3.2 fixed in 3.2.6-5
** Changed in: ruby-actionpack-3.2 (Ubuntu Raring)
Status: New => Fix Released
** Description changed:
There is a vulnerability when Active Record is used in conjunction with
JSON parameter parsing.
- Versions Affected: 3.x series
- Not a
Patch for quantal 3.2.x serie
** Patch added: "lp1100188-quantal-3.2.debdiff"
https://bugs.launchpad.net/ubuntu/+source/ruby-activerecord-3.2/+bug/1100188/+attachment/3485936/+files/lp1100188-quantal-3.2.debdiff
** Changed in: ruby-activerecord-3.2 (Ubuntu)
Status: New => Confirmed
--
According to https://groups.google.com/forum/?fromgroups=#!topic
/rubyonrails-security/c7jT-EeN9eI all version (as well 2.x) is affected.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1100188
Title:
Debian published http://www.debian.org/security/2013/dsa-2609 for this.
Interestingly, they patched squeeze (2.3.5-1.2+squeeze5) so this might
not actually be just for 3.x.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.l
21 matches
Mail list logo
