From ${URL} : Tasha Drew reports: Researchers investigating the Rails parameter parsing vulnerability discovered that the same or similar vulnerable code had made its way into multiple other libraries. If your application uses these libraries to process untrusted data, it may still be vulnerable even if you have upgraded Rails. Check your Gemfile and Gemfile.lock for vulnerable versions of the following libraries, and if you are using one, update it immediately. You can update each of these by using "bundle update <gem name>". httparty Vulnerable: <= 0.9.0 Fixed: 0.10.0 External references: https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately https://github.com/jnunemaker/httparty/commit/53a812426dd32108d6cba4272b493aa03bc8c031 https://rubygems.org/gems/httparty/
httparty 0.10.2 is now in the tree. There are no stable versions.
Thanks, Hans. Closing noglsa for ~arch only.
CVE-2013-1801 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1801): The httparty gem 0.9.0 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for YAML type conversion, a similar vulnerability to CVE-2013-0156.
