openSUSE alert openSUSE-SU-2013:0462-1 (RubyOnRails) [LWN.net]


From:
    	       opensuse-security@opensuse.org 
To:
    	       opensuse-updates@opensuse.org 
Subject:
    	       openSUSE-SU-2013:0462-1: moderate: RubyOnRails: security version update to 2.3.17 
Date:
    	       Thu, 14 Mar 2013 20:04:25 +0100 (CET)
Message-ID:
    	       <20130314190426.64DCD27F9D@maintenance.suse.de>
Archive-link:
    	       Article, Thread
              
   openSUSE Security Update: RubyOnRails: security version update to 2.3.17
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2013:0462-1
Rating:             moderate
References:         #798452 #803336 #803339 
Cross-References:   CVE-2013-0183 CVE-2013-0184 CVE-2013-0262
                    CVE-2013-0263 CVE-2013-0276 CVE-2013-0277
                   
Affected Products:
                    openSUSE 11.4
______________________________________________________________________________

   An update that fixes 6 vulnerabilities is now available.

Description:

   The Ruby on Rails 2.3 stack was updated to 2.3.17.

   The Ruby Rack was updated to 1.1.6.

   The updates fix various security issues and bugs.

   - update to version 2.3.17 (bnc#803336, bnc#803339)
   CVE-2013-0276 CVE-2013-0277:

   - update to version 2.3.17 (bnc#803336, bnc#803339)
   CVE-2013-0276 CVE-2013-0277:
   - Fix issue with attr_protected where malformed input
   could circumvent protection
   - Fix Serialized Attributes YAML Vulnerability

   - update to version 2.3.17 (bnc#803336, bnc#803339)
   CVE-2013-0276 CVE-2013-0277:
   - Fix issue with attr_protected where malformed input
   could circumvent protection
   - Fix Serialized Attributes YAML Vulnerability

   - update to 1.1.6 (bnc#802794)
   * Fix CVE-2013-0263, timing attack against
   Rack::Session::Cookie


Patch Instructions:

   To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE 11.4:

      zypper in -t patch 2013-42

   To bring your system up-to-date, use "zypper patch".


Package List:

   - openSUSE 11.4 (i586 x86_64):

      rubygem-actionmailer-2_3-2.3.17-0.24.1
      rubygem-actionmailer-2_3-doc-2.3.17-0.24.1
      rubygem-actionmailer-2_3-testsuite-2.3.17-0.24.1
      rubygem-actionpack-2_3-2.3.17-31.1
      rubygem-actionpack-2_3-doc-2.3.17-31.1
      rubygem-actionpack-2_3-testsuite-2.3.17-31.1
      rubygem-activerecord-2_3-2.3.17-27.1
      rubygem-activerecord-2_3-doc-2.3.17-27.1
      rubygem-activerecord-2_3-testsuite-2.3.17-27.1
      rubygem-activeresource-2_3-2.3.17-24.1
      rubygem-activeresource-2_3-doc-2.3.17-24.1
      rubygem-activeresource-2_3-testsuite-2.3.17-24.1
      rubygem-activesupport-2_3-2.3.17-24.1
      rubygem-activesupport-2_3-doc-2.3.17-24.1
      rubygem-rack-1.1.6-16.1
      rubygem-rails-2_3-2.3.17-20.1
      rubygem-rails-2_3-doc-2.3.17-20.1

   - openSUSE 11.4 (noarch):

      rubygem-actionmailer-2.3.17-14.1
      rubygem-actionpack-2.3.17-14.1
      rubygem-activerecord-2.3.17-14.1
      rubygem-activeresource-2.3.17-14.1
      rubygem-activesupport-2.3.17-14.1
      rubygem-rails-2.3.17-14.1


References:

   http://support.novell.com/security/cve/CVE-2013-0183.html

   http://support.novell.com/security/cve/CVE-2013-0184.html

   http://support.novell.com/security/cve/CVE-2013-0262.html

   http://support.novell.com/security/cve/CVE-2013-0263.html

   http://support.novell.com/security/cve/CVE-2013-0276.html

   http://support.novell.com/security/cve/CVE-2013-0277.html

   https://bugzilla.novell.com/798452

   https://bugzilla.novell.com/803336

   https://bugzilla.novell.com/803339
(Log in to post comments)