1
Candidate: CVE-2013-0155
4
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0155
5
http://www.openwall.com/lists/oss-security/2013/01/08/13
7
Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before
8
3.2.11 does not properly consider differences in parameter handling between
9
the Active Record component and the JSON implementation, which allows
10
remote attackers to bypass intended database-query restrictions and perform
11
NULL checks or trigger missing WHERE clauses via a crafted request, as
12
demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660
16
mdeslaur> in Oneiric+, rails package is just for transition
17
jdstrand> vulnerabilities are in ruby-actionpack* and ruby-activerecord* in
18
Ubuntu 11.10 and higher
19
jdstrand> per Debian, ruby-actionpack-2.3 not-affected (only
20
ruby-activerecord-2.3)
22
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697744
23
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697802
24
https://bugs.launchpad.net/bugs/1100188
30
vendor: http://www.debian.org/security/2013/dsa-2609
31
upstream_rails: needs-triage
32
hardy_rails: ignored (reached end-of-life)
33
lucid_rails: ignored (reached end-of-life)
34
oneiric_rails: not-affected (contains no code)
35
precise_rails: not-affected (contains no code)
36
quantal_rails: not-affected (contains no code)
37
raring_rails: not-affected (contains no code)
38
saucy_rails: not-affected (contains no code)
39
devel_rails: not-affected (contains no code)
41
Patches_ruby-actionpack-2.3:
42
upstream_ruby-actionpack-2.3: needs-triage
43
hardy_ruby-actionpack-2.3: DNE
44
lucid_ruby-actionpack-2.3: DNE
45
oneiric_ruby-actionpack-2.3: not-affected
46
precise_ruby-actionpack-2.3: not-affected
47
quantal_ruby-actionpack-2.3: not-affected
48
raring_ruby-actionpack-2.3: not-affected
49
saucy_ruby-actionpack-2.3: not-affected
50
devel_ruby-actionpack-2.3: not-affected
52
Patches_ruby-activerecord-2.3:
53
upstream_ruby-activerecord-2.3: released (2.3.14-4)
54
hardy_ruby-activerecord-2.3: DNE
55
lucid_ruby-activerecord-2.3: DNE
56
oneiric_ruby-activerecord-2.3: released (2.3.14-1ubuntu0.11.10.1)
57
precise_ruby-activerecord-2.3: released (2.3.14-1ubuntu0.12.04.1)
58
quantal_ruby-activerecord-2.3: released (2.3.14-2ubuntu0.1)
59
raring_ruby-activerecord-2.3: released (2.3.14-4)
60
saucy_ruby-activerecord-2.3: released (2.3.14-4)
61
devel_ruby-activerecord-2.3: released (2.3.14-4)
63
Patches_ruby-actionpack-3.2:
64
upstream_ruby-actionpack-3.2: released (3.2.6-5)
65
hardy_ruby-actionpack-3.2: DNE
66
lucid_ruby-actionpack-3.2: DNE
67
oneiric_ruby-actionpack-3.2: DNE
68
precise_ruby-actionpack-3.2: DNE
69
quantal_ruby-actionpack-3.2: released (3.2.6-4ubuntu0.1)
70
raring_ruby-actionpack-3.2: not-affected (3.2.6-5)
71
saucy_ruby-actionpack-3.2: not-affected (3.2.6-5)
72
devel_ruby-actionpack-3.2: not-affected (3.2.6-5)
74
Patches_ruby-activerecord-3.2:
75
upstream_ruby-activerecord-3.2: released (3.2.6-4)
76
hardy_ruby-activerecord-3.2: DNE
77
lucid_ruby-activerecord-3.2: DNE
78
oneiric_ruby-activerecord-3.2: DNE
79
precise_ruby-activerecord-3.2: DNE
80
quantal_ruby-activerecord-3.2: released (3.2.6-2ubuntu0.1)
81
raring_ruby-activerecord-3.2: not-affected (3.2.6-4)
82
saucy_ruby-activerecord-3.2: not-affected (3.2.6-4)
83
devel_ruby-activerecord-3.2: not-affected (3.2.6-4)