RHSA-2013:0154: Critical: Ruby on Rails security update
First published: Thu Jan 10 2013(Updated: )
Ruby on Rails is a model–view–controller (MVC) framework for web<br>application development. Action Pack implements the controller and the view<br>components. Active Record implements object-relational mapping for<br>accessing database entries using objects. Active Support provides support<br>and utility classes used by the Ruby on Rails framework.<br>Multiple flaws were found in the way Ruby on Rails performed XML parameter<br>parsing in HTTP requests. A remote attacker could use these flaws to<br>execute arbitrary code with the privileges of a Ruby on Rails application,<br>perform SQL injection attacks, or bypass the authentication using a<br>specially-created HTTP request. (CVE-2013-0156)<br>Red Hat is aware that a public exploit for the CVE-2013-0156 issues is<br>available that allows remote code execution in applications using Ruby on<br>Rails.<br>Multiple input validation vulnerabilities were discovered in<br>rubygem-activerecord. A remote attacker could possibly use these flaws to<br>perform an SQL injection attack against an application using<br>rubygem-activerecord. (CVE-2012-2661, CVE-2012-2695, CVE-2012-6496,<br>CVE-2013-0155)<br>Multiple input validation vulnerabilities were discovered in<br>rubygem-actionpack. A remote attacker could possibly use these flaws to<br>perform an SQL injection attack against an application using<br>rubygem-actionpack and rubygem-activerecord. (CVE-2012-2660, CVE-2012-2694)<br>Multiple cross-site scripting (XSS) flaws were found in rubygem-actionpack.<br>A remote attacker could use these flaws to conduct XSS attacks against<br>users of an application using rubygem-actionpack. (CVE-2012-3463,<br>CVE-2012-3464, CVE-2012-3465)<br>A flaw was found in the HTTP digest authentication implementation in<br>rubygem-actionpack. A remote attacker could use this flaw to cause a<br>denial of service of an application using rubygem-actionpack and digest<br>authentication. (CVE-2012-3424)<br>Users are advised to upgrade to these updated rubygem-actionpack,<br>rubygem-activesupport, and rubygem-activerecord packages, which resolve<br>these issues. Katello must be restarted ("service katello restart") for<br>this update to take effect.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/rubygem-actionpack | <3.0.10-11.el6cf | 3.0.10-11.el6cf |
| redhat/rubygem-activerecord | <3.0.10-8.el6cf | 3.0.10-8.el6cf |
| redhat/rubygem-activesupport | <3.0.10-5.el6cf | 3.0.10-5.el6cf |
| redhat/rubygem-actionpack | <3.0.10-11.el6cf | 3.0.10-11.el6cf |
| redhat/rubygem-activerecord | <3.0.10-8.el6cf | 3.0.10-8.el6cf |
| redhat/rubygem-activesupport | <3.0.10-5.el6cf | 3.0.10-5.el6cf |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=827353
- https://bugzilla.redhat.com/show_bug.cgi?id=827363
- https://bugzilla.redhat.com/show_bug.cgi?id=831573
- https://bugzilla.redhat.com/show_bug.cgi?id=831581
- https://bugzilla.redhat.com/show_bug.cgi?id=843711
- https://bugzilla.redhat.com/show_bug.cgi?id=847196
- https://bugzilla.redhat.com/show_bug.cgi?id=847199
- https://bugzilla.redhat.com/show_bug.cgi?id=847200
- https://bugzilla.redhat.com/show_bug.cgi?id=889649
- https://bugzilla.redhat.com/show_bug.cgi?id=892866
- https://bugzilla.redhat.com/show_bug.cgi?id=892870
- http://www.redhat.com/security/updates/classification/#normal
- https://access.redhat.com/errata/RHSA-2013:0154 (Advisory)
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness
- collector/redhat-errata
- anchor-id/RHSA-2013:0154
- package-manager/redhat