Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 379511 - <dev-ruby/rails-{2.3.14,3.0.10}: Several security bugs in Rails (CVE-2011-{2929,2930,2931,2932,3186})
Summary: <dev-ruby/rails-{2.3.14,3.0.10}: Several security bugs in Rails (CVE-2011-{29...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://weblog.rubyonrails.org/2011/8/...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks: CVE-2011-0446
  Show dependency tree
 
Reported: 2011-08-17 05:58 UTC by Hans de Graaff
Modified: 2014-12-14 20:35 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev 2011-08-17 05:58:03 UTC
Several security issues have been found and fixed in Rails 2.3.12 and 3.0.9. 

http://weblog.rubyonrails.org/2011/8/16/ann-rails-2-3-14
http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-0-10
Comment 1 James Le Cuirot gentoo-dev 2011-08-17 08:47:18 UTC
Note that this isn't specific to these exact versions. It affects 2.3.x and 3.0.x. This sucks because I have to update all my sites but the good news is you have an excuse to not support the earlier versions.
Comment 2 Hans de Graaff gentoo-dev 2011-08-17 08:57:08 UTC
Rails 2.3.14 is now in the tree. Rails 3.0.9 isn't stable yet so it should not impact GLSA handling.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-08-17 20:16:00 UTC
(In reply to comment #2)
> Rails 2.3.14 is now in the tree. Rails 3.0.9 isn't stable yet so it should not
> impact GLSA handling.

Great, thanks. Would it be possible to add 3.0.10 to the tree as ~arch please? We don't need to stabilize it, but our policy would have it added to the tree.

Arches, please test and mark stable:
=dev-ruby/rails-2.3.14
Target keywords : "amd64 ia64 ppc ppc64 sparc x86"
Comment 4 Agostino Sarubbo gentoo-dev 2011-08-17 23:41:22 UTC
Packages that need the keyword:

=dev-ruby/rails-2.3.14
=dev-ruby/activerecord-2.3.14
=dev-ruby/activesupport-2.3.14
=dev-ruby/actionpack-2.3.14
=dev-ruby/activeresource-2.3.14
=dev-ruby/actionmailer-2.3.14

All packages pass tests. 

amd64 ok
Comment 5 Hans de Graaff gentoo-dev 2011-08-18 05:54:11 UTC
(In reply to comment #3)

> Great, thanks. Would it be possible to add 3.0.10 to the tree as ~arch please?
> We don't need to stabilize it, but our policy would have it added to the tree.

Yes, but as usual with these newer versions there are again test issues with 3.0.10 that should be resolved, and I gave priority to the stable version. I expect to add 3.0.10 this weekend at the latest.
Comment 6 Tony Vroon gentoo-dev 2011-08-18 10:08:13 UTC
+  18 Aug 2011; Tony Vroon <chainsaw@gentoo.org> activerecord-2.3.14.ebuild:
+  Marked stable as a dependency of dev-ruby/rails based on arch testing by
+  Agostino "ago" Sarubbo in security bug #379511 filed by Hans de Graaff.

+  18 Aug 2011; Tony Vroon <chainsaw@gentoo.org> activesupport-2.3.14.ebuild:
+  Marked stable as a dependency of dev-ruby/rails based on arch testing by
+  Agostino "ago" Sarubbo in security bug #379511 filed by Hans de Graaff.

+  18 Aug 2011; Tony Vroon <chainsaw@gentoo.org> actionpack-2.3.14.ebuild:
+  Marked stable as a dependency of dev-ruby/rails based on arch testing by
+  Agostino "ago" Sarubbo in security bug #379511 filed by Hans de Graaff.

+  18 Aug 2011; Tony Vroon <chainsaw@gentoo.org> activeresource-2.3.14.ebuild:
+  Marked stable as a dependency of dev-ruby/rails based on arch testing by
+  Agostino "ago" Sarubbo in security bug #379511 filed by Hans de Graaff.

+  18 Aug 2011; Tony Vroon <chainsaw@gentoo.org> actionmailer-2.3.14.ebuild:
+  Marked stable as a dependency of dev-ruby/rails based on arch testing by
+  Agostino "ago" Sarubbo in security bug #379511 filed by Hans de Graaff.

+  18 Aug 2011; Tony Vroon <chainsaw@gentoo.org> rails-2.3.14.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Saurbbo in
+  security bug #379511 filed by Hans de Graaff.
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2011-08-18 16:20:01 UTC
(In reply to comment #5)
> (In reply to comment #3)
> 
> > Great, thanks. Would it be possible to add 3.0.10 to the tree as ~arch please?
> > We don't need to stabilize it, but our policy would have it added to the tree.
> 
> Yes, but as usual with these newer versions there are again test issues with
> 3.0.10 that should be resolved, and I gave priority to the stable version. I
> expect to add 3.0.10 this weekend at the latest.

Understood, and thank you for that. We'll do stabilization for 2.3.14 now and hold this bug open until 3.0.10 is in the tree.
Comment 8 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-08-18 17:45:17 UTC
ppc/ppc64 stable
Comment 9 Markus Meier gentoo-dev 2011-08-24 19:21:09 UTC
x86 stable
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2011-08-27 19:11:18 UTC
ia64/sparc stable
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2011-08-28 02:01:24 UTC
Thanks, folks. GLSA Vote: yes.
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2011-08-28 14:49:14 UTC
Actually, we need 3.0.10 in the tree before this can be closed too.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2011-09-02 17:29:53 UTC
CVE-2011-3186 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3186):
  CRLF injection vulnerability in actionpack/lib/action_controller/response.rb
  in Ruby on Rails 2.3.x before 2.3.13 allows remote attackers to inject
  arbitrary HTTP headers and conduct HTTP response splitting attacks via the
  Content-Type header.

CVE-2011-2932 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2932):
  Cross-site scripting (XSS) vulnerability in
  activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on
  Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5
  allows remote attackers to inject arbitrary web script or HTML via a
  malformed Unicode string, related to a "UTF-8 escaping vulnerability."

CVE-2011-2931 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2931):
  Cross-site scripting (XSS) vulnerability in the strip_tags helper in
  actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on
  Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows
  remote attackers to inject arbitrary web script or HTML via a tag with an
  invalid name.

CVE-2011-2930 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2930):
  Multiple SQL injection vulnerabilities in the quote_table_name method in the
  ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/
  in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before
  3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a
  crafted column name.

CVE-2011-2929 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2929):
  The template selection functionality in
  actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x
  before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob
  characters, which allows remote attackers to render arbitrary views via a
  crafted URL, related to a "filter skipping vulnerability."
Comment 14 Hans de Graaff gentoo-dev 2011-09-28 07:36:52 UTC
Rails 3.0.10 is now also in CVS.
Comment 15 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:28:09 UTC
Vote: YES. Added to pending GLSA request.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2014-12-14 20:35:40 UTC
This issue was resolved and addressed in
 GLSA 201412-28 at http://security.gentoo.org/glsa/glsa-201412-28.xml
by GLSA coordinator Sean Amoss (ackle).