From ${URL} : Tasha Drew reports: Researchers investigating the Rails parameter parsing vulnerability discovered that the same or similar vulnerable code had made its way into multiple other libraries. If your application uses these libraries to process untrusted data, it may still be vulnerable even if you have upgraded Rails. Check your Gemfile and Gemfile.lock for vulnerable versions of the following libraries, and if you are using one, update it immediately. You can update each of these by using "bundle update <gem name>". extlib Vulnerable: <= 0.9.15 Fixed: 0.9.16 External references: https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately https://github.com/datamapper/extlib/compare/b4f98174ec35ac96f76a08d5624fad05d22879b5%E2%80%A64540e7102b803624cc2eade4bb8aaaa934fc31c5 https://rubygems.org/gems/extlib/
extlib 0.9.16 is already in the tree. I've removed older version, and there are no stable versions.
Thanks, Hans. Closing noglsa for ~arch only.
CVE-2013-1802 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1802): The extlib gem 0.9.15 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.