1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
|
Candidate: CVE-2013-0155
PublicDate: 2013-01-13
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0155
http://www.openwall.com/lists/oss-security/2013/01/08/13
Description:
Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before
3.2.11 does not properly consider differences in parameter handling between
the Active Record component and the JSON implementation, which allows
remote attackers to bypass intended database-query restrictions and perform
NULL checks or trigger missing WHERE clauses via a crafted request, as
demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660
and CVE-2012-2694.
Ubuntu-Description:
Notes:
mdeslaur> in Oneiric+, rails package is just for transition
jdstrand> vulnerabilities are in ruby-actionpack* and ruby-activerecord* in
Ubuntu 11.10 and higher
jdstrand> per Debian, ruby-actionpack-2.3 not-affected (only
ruby-activerecord-2.3)
Bugs:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697744
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697802
https://bugs.launchpad.net/bugs/1100188
Priority: high
Discovered-by:
Assigned-to:
Patches_rails:
vendor: http://www.debian.org/security/2013/dsa-2609
upstream_rails: needs-triage
hardy_rails: ignored (reached end-of-life)
lucid_rails: ignored (reached end-of-life)
oneiric_rails: not-affected (contains no code)
precise_rails: not-affected (contains no code)
quantal_rails: not-affected (contains no code)
raring_rails: not-affected (contains no code)
saucy_rails: not-affected (contains no code)
devel_rails: not-affected (contains no code)
Patches_ruby-actionpack-2.3:
upstream_ruby-actionpack-2.3: needs-triage
hardy_ruby-actionpack-2.3: DNE
lucid_ruby-actionpack-2.3: DNE
oneiric_ruby-actionpack-2.3: not-affected
precise_ruby-actionpack-2.3: not-affected
quantal_ruby-actionpack-2.3: not-affected
raring_ruby-actionpack-2.3: not-affected
saucy_ruby-actionpack-2.3: not-affected
devel_ruby-actionpack-2.3: not-affected
Patches_ruby-activerecord-2.3:
upstream_ruby-activerecord-2.3: released (2.3.14-4)
hardy_ruby-activerecord-2.3: DNE
lucid_ruby-activerecord-2.3: DNE
oneiric_ruby-activerecord-2.3: released (2.3.14-1ubuntu0.11.10.1)
precise_ruby-activerecord-2.3: released (2.3.14-1ubuntu0.12.04.1)
quantal_ruby-activerecord-2.3: released (2.3.14-2ubuntu0.1)
raring_ruby-activerecord-2.3: released (2.3.14-4)
saucy_ruby-activerecord-2.3: released (2.3.14-4)
devel_ruby-activerecord-2.3: released (2.3.14-4)
Patches_ruby-actionpack-3.2:
upstream_ruby-actionpack-3.2: released (3.2.6-5)
hardy_ruby-actionpack-3.2: DNE
lucid_ruby-actionpack-3.2: DNE
oneiric_ruby-actionpack-3.2: DNE
precise_ruby-actionpack-3.2: DNE
quantal_ruby-actionpack-3.2: released (3.2.6-4ubuntu0.1)
raring_ruby-actionpack-3.2: not-affected (3.2.6-5)
saucy_ruby-actionpack-3.2: not-affected (3.2.6-5)
devel_ruby-actionpack-3.2: not-affected (3.2.6-5)
Patches_ruby-activerecord-3.2:
upstream_ruby-activerecord-3.2: released (3.2.6-4)
hardy_ruby-activerecord-3.2: DNE
lucid_ruby-activerecord-3.2: DNE
oneiric_ruby-activerecord-3.2: DNE
precise_ruby-activerecord-3.2: DNE
quantal_ruby-activerecord-3.2: released (3.2.6-2ubuntu0.1)
raring_ruby-activerecord-3.2: not-affected (3.2.6-4)
saucy_ruby-activerecord-3.2: not-affected (3.2.6-4)
devel_ruby-activerecord-3.2: not-affected (3.2.6-4)
|