Jump to content
Compatible Support Forums
Sign in to follow this  
Followers 0
news

[security-announce] SUSE-SU-2013:0486-1: important: Security update for Ruby On Rails

By news, in Upcoming News

Recommended Posts

news    28

news
Posted

SUSE Security Update: Security update for Ruby On Rails

______________________________________________________________________________

 

Announcement ID: SUSE-SU-2013:0486-1

Rating: important

References: #796712 #797449 #797452 #800320 #803336 #803339

 

Cross-References: CVE-2012-5664 CVE-2013-0155 CVE-2013-0156

CVE-2013-0276 CVE-2013-0277

Affected Products:

SUSE Linux Enterprise Software Development Kit 11 SP2

SUSE Cloud 1.0

______________________________________________________________________________

 

An update that solves 5 vulnerabilities and has one errata

is now available. It includes one version update.

 

Description:

 

 

The Ruby on Rails stack has been updated to 2.3.17 to fix

various security issues and bugs.

 

The rails gems have been updated to fix:

 

* Unsafe Query Generation Risk in Ruby on Rails

(CVE-2013-0155)

* Multiple vulnerabilities in parameter parsing in

Action Pack (CVE-2013-0156)

* activerecord: SQL Injection (CVE-2012-5664)

* rails: Vulnerability in JSON Parser in Ruby on Rails

3.0 and 2.3 (CVE-2013-0333)

* activerecord: Circumvention of attr_protected

(CVE-2013-0276)

* activerecord: Serialized Attributes YAML

Vulnerability with Rails 2.3 and 3.0 (CVE-2013-0277)

 

Security Issue references:

 

* CVE-2012-5664

 

* CVE-2013-0155

 

* CVE-2013-0156

 

* CVE-2013-0277

 

* CVE-2013-0276

 

 

 

Patch Instructions:

 

To install this SUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- SUSE Linux Enterprise Software Development Kit 11 SP2:

 

zypper in -t patch sdksp2-rubygem-actionmailer-2_3-7363

 

- SUSE Cloud 1.0:

 

zypper in -t patch sleclo10sp2-rubygem-actionmailer-2_3-7363

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 2.3.17]:

 

rubygem-actionmailer-2_3-2.3.17-0.9.1

rubygem-actionpack-2_3-2.3.17-0.9.1

rubygem-activerecord-2_3-2.3.17-0.9.1

rubygem-activeresource-2_3-2.3.17-0.9.1

rubygem-activesupport-2_3-2.3.17-0.9.1

rubygem-rails-2_3-2.3.17-0.9.1

 

- SUSE Linux Enterprise Software Development Kit 11 SP2 (noarch) [New Version: 2.3.17]:

 

rubygem-rails-2.3.17-0.8.1

 

- SUSE Cloud 1.0 (x86_64) [New Version: 2.3.17]:

 

rubygem-actionmailer-2_3-2.3.17-0.9.1

rubygem-actionpack-2_3-2.3.17-0.9.1

rubygem-activerecord-2_3-2.3.17-0.9.1

rubygem-activeresource-2_3-2.3.17-0.9.1

rubygem-activesupport-2_3-2.3.17-0.9.1

rubygem-rails-2_3-2.3.17-0.9.1

 

 

References:

 

http://support.novell.com/security/cve/CVE-2012-5664.html

http://support.novell.com/security/cve/CVE-2013-0155.html

http://support.novell.com/security/cve/CVE-2013-0156.html

http://support.novell.com/security/cve/CVE-2013-0276.html

http://support.novell.com/security/cve/CVE-2013-0277.html

https://bugzilla.novell.com/796712

https://bugzilla.novell.com/797449

https://bugzilla.novell.com/797452

https://bugzilla.novell.com/800320

https://bugzilla.novell.com/803336

https://bugzilla.novell.com/803339

http://download.novell.com/patch/finder/?keywords=262e345a7ecb482ffca687eedd6b610a

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org

 

 

 

Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing Upcoming News
×