Summary: | <dev-ruby/rails-2.3.18: Multiple Vulnerabilities (CVE-2013-{1854,1855,1856,1857}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | enno+gentoo, mrueg, ruby |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/52656/ | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
![]() *** Bug 462474 has been marked as a duplicate of this bug. *** CVE-2013-1857 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1857): The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle encoded : (colon) characters in URLs, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted scheme name, as demonstrated by including a : sequence. CVE-2013-1856 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1856): The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference. CVE-2013-1855 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1855): The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences. CVE-2013-1854 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1854): The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method. Rails 3.2.13, 3.1.12, and 2.3.18 are now in the tree. Rails 2.3.x is still the only stable series and can be marked stable: =dev-ruby/activesupport-2.3.18 =dev-ruby/activeresource-2.3.18 =dev-ruby/actionpack-2.3.18 =dev-ruby/actionmailer-2.3.18 =dev-ruby/activerecord-2.3.18 =dev-ruby/rails-2.3.18 amd64 stable x86 stable ppc stable ppc64 stable Added to existing GLSA draft, ready for review. This issue was resolved and addressed in GLSA 201412-28 at http://security.gentoo.org/glsa/glsa-201412-28.xml by GLSA coordinator Sean Amoss (ackle). |