← Back to branch summary

~ubuntu-security/ubuntu-cve-tracker/master 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83

Candidate: CVE-2013-0155
PublicDate: 2013-01-13
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0155
 http://www.openwall.com/lists/oss-security/2013/01/08/13
Description:
 Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before
 3.2.11 does not properly consider differences in parameter handling between
 the Active Record component and the JSON implementation, which allows
 remote attackers to bypass intended database-query restrictions and perform
 NULL checks or trigger missing WHERE clauses via a crafted request, as
 demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660
 and CVE-2012-2694.
Ubuntu-Description:
Notes:
 mdeslaur> in Oneiric+, rails package is just for transition
 jdstrand> vulnerabilities are in ruby-actionpack* and ruby-activerecord* in
  Ubuntu 11.10 and higher
 jdstrand> per Debian, ruby-actionpack-2.3 not-affected (only
  ruby-activerecord-2.3)
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697744
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697802
 https://bugs.launchpad.net/bugs/1100188
Priority: high
Discovered-by:
Assigned-to:

Patches_rails:
 vendor: http://www.debian.org/security/2013/dsa-2609 
upstream_rails: needs-triage
hardy_rails: ignored (reached end-of-life)
lucid_rails: ignored (reached end-of-life)
oneiric_rails: not-affected (contains no code)
precise_rails: not-affected (contains no code)
quantal_rails: not-affected (contains no code)
raring_rails: not-affected (contains no code)
saucy_rails: not-affected (contains no code)
devel_rails: not-affected (contains no code)

Patches_ruby-actionpack-2.3:
upstream_ruby-actionpack-2.3: needs-triage
hardy_ruby-actionpack-2.3: DNE
lucid_ruby-actionpack-2.3: DNE
oneiric_ruby-actionpack-2.3: not-affected
precise_ruby-actionpack-2.3: not-affected
quantal_ruby-actionpack-2.3: not-affected
raring_ruby-actionpack-2.3: not-affected
saucy_ruby-actionpack-2.3: not-affected
devel_ruby-actionpack-2.3: not-affected

Patches_ruby-activerecord-2.3:
upstream_ruby-activerecord-2.3: released (2.3.14-4)
hardy_ruby-activerecord-2.3: DNE
lucid_ruby-activerecord-2.3: DNE
oneiric_ruby-activerecord-2.3: released (2.3.14-1ubuntu0.11.10.1)
precise_ruby-activerecord-2.3: released (2.3.14-1ubuntu0.12.04.1)
quantal_ruby-activerecord-2.3: released (2.3.14-2ubuntu0.1)
raring_ruby-activerecord-2.3: released (2.3.14-4)
saucy_ruby-activerecord-2.3: released (2.3.14-4)
devel_ruby-activerecord-2.3: released (2.3.14-4)

Patches_ruby-actionpack-3.2:
upstream_ruby-actionpack-3.2: released (3.2.6-5)
hardy_ruby-actionpack-3.2: DNE
lucid_ruby-actionpack-3.2: DNE
oneiric_ruby-actionpack-3.2: DNE
precise_ruby-actionpack-3.2: DNE
quantal_ruby-actionpack-3.2: released (3.2.6-4ubuntu0.1)
raring_ruby-actionpack-3.2: not-affected (3.2.6-5)
saucy_ruby-actionpack-3.2: not-affected (3.2.6-5)
devel_ruby-actionpack-3.2: not-affected (3.2.6-5)

Patches_ruby-activerecord-3.2:
upstream_ruby-activerecord-3.2: released (3.2.6-4)
hardy_ruby-activerecord-3.2: DNE
lucid_ruby-activerecord-3.2: DNE
oneiric_ruby-activerecord-3.2: DNE
precise_ruby-activerecord-3.2: DNE
quantal_ruby-activerecord-3.2: released (3.2.6-2ubuntu0.1)
raring_ruby-activerecord-3.2: not-affected (3.2.6-4)
saucy_ruby-activerecord-3.2: not-affected (3.2.6-4)
devel_ruby-activerecord-3.2: not-affected (3.2.6-4)