Summary: | <dev-ruby/rails-{2.3.14,3.0.10}: Several security bugs in Rails (CVE-2011-{2929,2930,2931,2932,3186}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hans de Graaff <graaff> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | chewi, ruby |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://weblog.rubyonrails.org/2011/8/16/ann-rails-2-3-14 | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 354249 |
Description
Hans de Graaff
2011-08-17 05:58:03 UTC
Note that this isn't specific to these exact versions. It affects 2.3.x and 3.0.x. This sucks because I have to update all my sites but the good news is you have an excuse to not support the earlier versions. Rails 2.3.14 is now in the tree. Rails 3.0.9 isn't stable yet so it should not impact GLSA handling. (In reply to comment #2) > Rails 2.3.14 is now in the tree. Rails 3.0.9 isn't stable yet so it should not > impact GLSA handling. Great, thanks. Would it be possible to add 3.0.10 to the tree as ~arch please? We don't need to stabilize it, but our policy would have it added to the tree. Arches, please test and mark stable: =dev-ruby/rails-2.3.14 Target keywords : "amd64 ia64 ppc ppc64 sparc x86" Packages that need the keyword: =dev-ruby/rails-2.3.14 =dev-ruby/activerecord-2.3.14 =dev-ruby/activesupport-2.3.14 =dev-ruby/actionpack-2.3.14 =dev-ruby/activeresource-2.3.14 =dev-ruby/actionmailer-2.3.14 All packages pass tests. amd64 ok (In reply to comment #3) > Great, thanks. Would it be possible to add 3.0.10 to the tree as ~arch please? > We don't need to stabilize it, but our policy would have it added to the tree. Yes, but as usual with these newer versions there are again test issues with 3.0.10 that should be resolved, and I gave priority to the stable version. I expect to add 3.0.10 this weekend at the latest. + 18 Aug 2011; Tony Vroon <chainsaw@gentoo.org> activerecord-2.3.14.ebuild: + Marked stable as a dependency of dev-ruby/rails based on arch testing by + Agostino "ago" Sarubbo in security bug #379511 filed by Hans de Graaff. + 18 Aug 2011; Tony Vroon <chainsaw@gentoo.org> activesupport-2.3.14.ebuild: + Marked stable as a dependency of dev-ruby/rails based on arch testing by + Agostino "ago" Sarubbo in security bug #379511 filed by Hans de Graaff. + 18 Aug 2011; Tony Vroon <chainsaw@gentoo.org> actionpack-2.3.14.ebuild: + Marked stable as a dependency of dev-ruby/rails based on arch testing by + Agostino "ago" Sarubbo in security bug #379511 filed by Hans de Graaff. + 18 Aug 2011; Tony Vroon <chainsaw@gentoo.org> activeresource-2.3.14.ebuild: + Marked stable as a dependency of dev-ruby/rails based on arch testing by + Agostino "ago" Sarubbo in security bug #379511 filed by Hans de Graaff. + 18 Aug 2011; Tony Vroon <chainsaw@gentoo.org> actionmailer-2.3.14.ebuild: + Marked stable as a dependency of dev-ruby/rails based on arch testing by + Agostino "ago" Sarubbo in security bug #379511 filed by Hans de Graaff. + 18 Aug 2011; Tony Vroon <chainsaw@gentoo.org> rails-2.3.14.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Saurbbo in + security bug #379511 filed by Hans de Graaff. (In reply to comment #5) > (In reply to comment #3) > > > Great, thanks. Would it be possible to add 3.0.10 to the tree as ~arch please? > > We don't need to stabilize it, but our policy would have it added to the tree. > > Yes, but as usual with these newer versions there are again test issues with > 3.0.10 that should be resolved, and I gave priority to the stable version. I > expect to add 3.0.10 this weekend at the latest. Understood, and thank you for that. We'll do stabilization for 2.3.14 now and hold this bug open until 3.0.10 is in the tree. ppc/ppc64 stable x86 stable ia64/sparc stable Thanks, folks. GLSA Vote: yes. Actually, we need 3.0.10 in the tree before this can be closed too. CVE-2011-3186 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3186): CRLF injection vulnerability in actionpack/lib/action_controller/response.rb in Ruby on Rails 2.3.x before 2.3.13 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the Content-Type header. CVE-2011-2932 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2932): Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a "UTF-8 escaping vulnerability." CVE-2011-2931 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2931): Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name. CVE-2011-2930 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2930): Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name. CVE-2011-2929 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2929): The template selection functionality in actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob characters, which allows remote attackers to render arbitrary views via a crafted URL, related to a "filter skipping vulnerability." Rails 3.0.10 is now also in CVS. Vote: YES. Added to pending GLSA request. This issue was resolved and addressed in GLSA 201412-28 at http://security.gentoo.org/glsa/glsa-201412-28.xml by GLSA coordinator Sean Amoss (ackle). |