Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 501750 (CVE-2014-0080)

Summary: <dev-ruby/rails-{3.2.17:3.2,4.0.3:4.0}: DoS and XSS vulnerability (CVE-2014-{0080,0081,0082})
Product: Gentoo Security Reporter: Hans de Graaff <graaff>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: ruby
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://weblog.rubyonrails.org/2014/2/18/Rails_3_2_17_4_0_3_and_4_1_0_beta2_have_been_released/
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description Hans de Graaff gentoo-dev Security 2014-02-19 06:54:07 UTC 
Data Injection Vulnerability in Active Record

There is a data injection vulnerability in Active Record. Specially
crafted strings can be used to save data in PostgreSQL array columns that may
not be intended. This vulnerability has been assigned the CVE identifier
CVE-2014-0080.

Versions Affected:  4.0.x, 4.1.0.beta1
Not affected:       3.2.x and older
Fixed Versions:     4.0.3, 4.1.0.beta2


XSS Vulnerability in number_to_currency, number_to_percentage and number_to_human

There is an XSS vulnerability in the number_to_currency, number_to_percentage
and number_to_human helpers in Ruby on Rails. This vulnerability has been
assigned the CVE identifier CVE-2014-0081.

Versions Affected:  All.
Fixed Versions:     4.1.0.beta2, 4.0.3, 3.2.17. 


Denial of Service Vulnerability in Action View when using render :text

There is a denial of service vulnerability in the text rendering component of
Action View. This vulnerability has been assigned the CVE identifier
CVE-2014-0082.

Versions Affected: 3.0.x, 3.1.x, 3.2.x
Not affected: 4.0.x
Fixed Versions: 3.2.17
Comment 1 Hans de Graaff gentoo-dev Security 2014-02-19 08:19:11 UTC 
Rails 3.2.17 and 4.0.3 are now in the tree. There are no stable versions at the moment.
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-02-19 10:37:44 UTC 
(In reply to Hans de Graaff from comment #1)
> Rails 3.2.17 and 4.0.3 are now in the tree. There are no stable versions at
> the moment.

Cleanup, please.
Comment 3 Hans de Graaff gentoo-dev Security 2014-04-21 13:01:30 UTC 
Vulnerable versions have been removed.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2014-04-21 23:05:08 UTC 
Maintainer(s), Thank you for cleanup!

No GLSA needed as there are no stable versions.