LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Kernel prepatch 3.9-rc6

LWN.net Weekly Edition for April 4, 2013

LWN.net Weekly Edition for March 28, 2013

A kernel change breaks GlusterFS

PyCon: Evangelizing Python

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

openSUSE alert openSUSE-SU-2013:0278-1 (ruby on rails)



From:
    	      opensuse-security@opensuse.org 


To:
    	      opensuse-updates@opensuse.org 


Subject:
    	      openSUSE-SU-2013:0278-1: important: ruby on rails to 2.3.16 


Date:
    	      Tue, 12 Feb 2013 10:10:39 +0100 (CET)


Message-ID:
    	      <20130212091039.21EEE27EE6@maintenance.suse.de>


Archive-link:
    	      Article, Thread
              


   openSUSE Security Update: ruby on rails to 2.3.16
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2013:0278-1
Rating:             important
References:         #766792 #775649 #775653 #796712 #797449 #797452 
                    #798452 #798458 #800320 
Cross-References:   CVE-2012-2695 CVE-2012-5664 CVE-2013-0155
                    CVE-2013-0156 CVE-2013-0333
Affected Products:
                    openSUSE 12.2
                    openSUSE 12.1
______________________________________________________________________________

   An update that solves 5 vulnerabilities and has four fixes
   is now available.

Description:


   This update updates the RubyOnRails 2.3 stack to 2.3.16,
   also this update updates the RubyOnRails 3.2 stack to
   3.2.11.

   Security and bugfixes were done, foremost: CVE-2013-0333: A
   JSON sql/code injection problem was fixed. CVE-2012-5664: A
   SQL Injection Vulnerability in Active Record was fixed.
   CVE-2012-2695: A SQL injection via nested hashes in
   conditions was fixed. CVE-2013-0155: Unsafe Query
   Generation Risk in Ruby on Rails was fixed. CVE-2013-0156:
   Multiple vulnerabilities in parameter parsing in Action
   Pack were fixed.


Patch Instructions:

   To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE 12.2:

      zypper in -t patch openSUSE-2013-106

   - openSUSE 12.1:

      zypper in -t patch openSUSE-2013-106

   To bring your system up-to-date, use "zypper patch".


Package List:

   - openSUSE 12.2 (i586 x86_64):

      rubygem-actionmailer-2_3-2.3.16-2.5.3
      rubygem-actionmailer-2_3-doc-2.3.16-2.5.3
      rubygem-actionmailer-2_3-testsuite-2.3.16-2.5.3
      rubygem-actionmailer-3_2-3.2.11-2.9.5
      rubygem-actionmailer-3_2-doc-3.2.11-2.9.5
      rubygem-actionpack-2_3-2.3.16-2.13.3
      rubygem-actionpack-2_3-doc-2.3.16-2.13.3
      rubygem-actionpack-2_3-testsuite-2.3.16-2.13.3
      rubygem-actionpack-3_2-3.2.11-3.9.4
      rubygem-actionpack-3_2-doc-3.2.11-3.9.4
      rubygem-activemodel-3_2-3.2.11-2.9.2
      rubygem-activemodel-3_2-doc-3.2.11-2.9.2
      rubygem-activerecord-2_3-2.3.16-2.9.2
      rubygem-activerecord-2_3-doc-2.3.16-2.9.2
      rubygem-activerecord-2_3-testsuite-2.3.16-2.9.2
      rubygem-activerecord-3_2-3.2.11-2.9.1
      rubygem-activerecord-3_2-doc-3.2.11-2.9.1
      rubygem-activeresource-2_3-2.3.16-2.5.2
      rubygem-activeresource-2_3-doc-2.3.16-2.5.2
      rubygem-activeresource-2_3-testsuite-2.3.16-2.5.2
      rubygem-activeresource-3_2-3.2.11-2.9.1
      rubygem-activeresource-3_2-doc-3.2.11-2.9.1
      rubygem-activesupport-2_3-2.3.16-3.9.1
      rubygem-activesupport-2_3-doc-2.3.16-3.9.1
      rubygem-activesupport-3_2-3.2.11-2.9.1
      rubygem-activesupport-3_2-doc-3.2.11-2.9.1
      rubygem-rack-1_1-1.1.5-6.5.1
      rubygem-rack-1_1-doc-1.1.5-6.5.1
      rubygem-rack-1_1-testsuite-1.1.5-6.5.1
      rubygem-rack-1_2-1.2.7-2.5.1
      rubygem-rack-1_2-doc-1.2.7-2.5.1
      rubygem-rack-1_2-testsuite-1.2.7-2.5.1
      rubygem-rack-1_3-1.3.9-2.5.1
      rubygem-rack-1_3-doc-1.3.9-2.5.1
      rubygem-rack-1_3-testsuite-1.3.9-2.5.1
      rubygem-rack-1_4-1.4.1-2.5.1
      rubygem-rack-1_4-doc-1.4.1-2.5.1
      rubygem-rack-1_4-testsuite-1.4.1-2.5.1
      rubygem-rails-2_3-2.3.16-3.5.1
      rubygem-rails-2_3-doc-2.3.16-3.5.1
      rubygem-rails-3_2-3.2.11-2.9.1
      rubygem-rails-3_2-doc-3.2.11-2.9.1
      rubygem-railties-3_2-3.2.11-2.9.1
      rubygem-railties-3_2-doc-3.2.11-2.9.1
      rubygem-sprockets-2_2-2.2.2-2.2
      rubygem-sprockets-2_2-doc-2.2.2-2.2

   - openSUSE 12.2 (noarch):

      rubygem-actionmailer-2.3.16-2.5.1
      rubygem-actionpack-2.3.16-2.5.1
      rubygem-activerecord-2.3.16-3.5.1
      rubygem-activeresource-2.3.16-3.5.1
      rubygem-activesupport-2.3.16-3.5.1
      rubygem-rails-2.3.16-3.5.1

   - openSUSE 12.1 (i586 x86_64):

      rubygem-actionmailer-2_3-2.3.16-3.9.3
      rubygem-actionmailer-2_3-doc-2.3.16-3.9.3
      rubygem-actionmailer-2_3-testsuite-2.3.16-3.9.3
      rubygem-actionpack-2_3-2.3.16-3.16.2
      rubygem-actionpack-2_3-doc-2.3.16-3.16.2
      rubygem-actionpack-2_3-testsuite-2.3.16-3.16.2
      rubygem-activerecord-2_3-2.3.16-3.12.2
      rubygem-activerecord-2_3-doc-2.3.16-3.12.2
      rubygem-activerecord-2_3-testsuite-2.3.16-3.12.2
      rubygem-activeresource-2_3-2.3.16-3.9.2
      rubygem-activeresource-2_3-doc-2.3.16-3.9.2
      rubygem-activeresource-2_3-testsuite-2.3.16-3.9.2
      rubygem-activesupport-2_3-2.3.16-3.13.1
      rubygem-activesupport-2_3-doc-2.3.16-3.13.1
      rubygem-rack-1_1-1.1.5-3.5.1
      rubygem-rack-1_1-doc-1.1.5-3.5.1
      rubygem-rack-1_1-testsuite-1.1.5-3.5.1
      rubygem-rails-2_3-2.3.16-3.9.1
      rubygem-rails-2_3-doc-2.3.16-3.9.1

   - openSUSE 12.1 (noarch):

      rubygem-actionmailer-2.3.16-2.7.1
      rubygem-actionpack-2.3.16-2.7.1
      rubygem-activerecord-2.3.16-2.7.1
      rubygem-activeresource-2.3.16-2.7.1
      rubygem-activesupport-2.3.16-2.7.1
      rubygem-rails-2.3.16-2.7.1


References:

   http://support.novell.com/security/cve/CVE-2012-2695.html
   http://support.novell.com/security/cve/CVE-2012-5664.html
   http://support.novell.com/security/cve/CVE-2013-0155.html
   http://support.novell.com/security/cve/CVE-2013-0156.html
   http://support.novell.com/security/cve/CVE-2013-0333.html
   https://bugzilla.novell.com/766792
   https://bugzilla.novell.com/775649
   https://bugzilla.novell.com/775653
   https://bugzilla.novell.com/796712
   https://bugzilla.novell.com/797449
   https://bugzilla.novell.com/797452
   https://bugzilla.novell.com/798452
   https://bugzilla.novell.com/798458
   https://bugzilla.novell.com/800320
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds