Summary: | dev-ruby/rails <1.2.5 Multiple vulnerabilities (CVE-2007-{3227,5379,5380}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Rajiv Aaron Manglani (RETIRED) <rajiv> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | durchanek, ruby |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 182223 |
Description
Rajiv Aaron Manglani (RETIRED)
![]() The JSON problem, although not mentioned in the security announcement, is being addressed in bug #182223. Rails 1.2.4 is already in the tree and if no regressions are found we'll ask for it to become stable this weekend. So it seems that Rails 1.2.5 is forthcoming shortly to address the problem with JSON encoding once more. I propose we wait until Rails 1.2.5 is out and stabilize that once it is in the tree. http://weblog.rubyonrails.org/2007/10/12/rails-1-2-5-maintenance-release From: DHH <david.heinemeier@gmail.com> To: "Ruby on Rails: Security" <rubyonrails-security@googlegroups.com> Date: Fri, 12 Oct 2007 16:50:53 -0000 Subject: Rails 1.2.5: Closes JSON XSS vulnerability Reply-To: rubyonrails-security@googlegroups.com This release closes a JSON XSS vulnerability, fixes a couple of minor regressions introduced in 1.2.4, and backports a handful of features and fixes from the 2.0 preview release. All users of Rails 1.2.4 or earlier are advised to upgrade to 1.2.5, though it isn't strictly necessary if you aren't working with JSON. For more information the JSON vulnerability, see CVE-2007-3227. Rails 1.2.5 and friends just got added to CVS. Since upstream in all its wisdom decided to also include a few features that are backported from the forthcoming 2.0 branch, I'd like to test this a bit more before we start to stable it. Let's aim for a call to stable this on Monday. (In reply to comment #4) > ... I'd like to test this a bit more before we start to stable it. > Let's aim for a call to stable this on Monday. Did you experience any regressions, is it ok to go? We should be good to go. No reports of any issues and I've also not noticed any regressions or problems in my own tests. Arches, please stabilize dev-ruby/rails-1.2.5 and its dependencies. Both Rails 1.2.4 and 1.2.5 contain security fixes compared to Rails 1.2.3-r1. The following packages need to be stabilized in this order to avoid dependency issues: eselect-rails-0.10 (already stable on arches that have marked rails 1.2.3-r1 as stable) activesupport-1.4.4 activerecord-1.15.5 actionpack-1.13.5 actionmailer-1.3.5 actionwebservice-1.2.5 rails-1.2.5 Note that this bug supersedes bug #177209, calling for the stabilization of rails-1.2.3-r1 *** This bug has been marked as a duplicate of bug 177209 *** Of course it should be the other way round *** Bug 177209 has been marked as a duplicate of this bug. *** *** Bug 182223 has been marked as a duplicate of this bug. *** x86 stable ia64/sparc stable ppc stable amd64 stable Proposing B3. Please vote! Together with bug #182223, we have these these issues: CVE-2007-5380: Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to "URL-based sessions." CVE-2007-5379: Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file. CVE-2007-3227: Cross-site scripting (XSS) vulnerability in the to_json function in Ruby on Rails before edge 9606 allows remote attackers to inject arbitrary web script via the input values. I tend to vote YES. (In reply to comment #15) > CVE-2007-5380: > Session fixation vulnerability perhaps... > CVE-2007-5379: > files and read arbitrary XML files via the Hash.from_xml > (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, > as demonstrated by reading passwords from the Pidgin (Gaim) mmm > CVE-2007-3227: > Cross-site scripting (XSS) vulnerability in the to_json function in non-persistent XSS, i would vote no for this CVE. Globally i vote nothing, sorry... (In reply to comment #15) > ... read arbitrary XML files via the Hash.from_xml > (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, > as demonstrated by reading passwords from the Pidgin (Gaim) > .purple/accounts.xml file. I would vote yes for this issue. XML might not be the dominant way to save configurations and passwords, but I would not call it uncommon, so reading those files could be quite a breach for users. voting yes too, glsa request filed. GLSA 200711-17 |