From ${URL} : Description Multiple vulnerabilities have been reported in Ruby on Rails, which can be exploited by malicious people to conduct cross-site scripting attacks and cause a DoS (Denial of Service). 1) An error when handling keys to a hash in Active Record can be exploited to potentially convert hash keys to symbols and cause a DoS condition. 2) Certain input is not properly sanitised in the "sanitize_css" method in Action Pack before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 3) An error when parsing XML entities via ActiveSupport::XmlMini_JDOM in ActiveSupport can potentially be exploited to e.g. disclose contents of certain local files or cause a DoS condition by sending specially crafted XML data including external entity references. Successful exploitation of this vulnerability requires a JRuby application using the JDOM backend. This vulnerability is reported in versions 3.0.0 and later. 4) The sanitize helper within the HTML module does not properly verify allowed protocols, which can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerabilities #1, #2, and #4 are reported in versions prior to 3.2.13, 3.1.12, and 2.3.18. Solution Update or upgrade to version 3.2.13, 3.1.12, or 2.3.18 or apply patches (please see the vendor's advisory for details). Provided and/or discovered by The vendor credits: 1, 3) Ben Murphy 2) Charlie Somerville 4) Alan Jenkins. Original Advisory Ruby on Rails: http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/ https://groups.google.com/forum/#!topic/ruby-security-ann/o0Dsdk2WrQ0 https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_QHo4BqnN8 https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/KZwsQbYsOiI https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/zAAU7vGTPvI
*** Bug 462474 has been marked as a duplicate of this bug. ***
CVE-2013-1857 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1857): The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle encoded : (colon) characters in URLs, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted scheme name, as demonstrated by including a : sequence. CVE-2013-1856 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1856): The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference. CVE-2013-1855 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1855): The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences. CVE-2013-1854 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1854): The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method.
Rails 3.2.13, 3.1.12, and 2.3.18 are now in the tree. Rails 2.3.x is still the only stable series and can be marked stable: =dev-ruby/activesupport-2.3.18 =dev-ruby/activeresource-2.3.18 =dev-ruby/actionpack-2.3.18 =dev-ruby/actionmailer-2.3.18 =dev-ruby/activerecord-2.3.18 =dev-ruby/rails-2.3.18
amd64 stable
x86 stable
ppc stable
ppc64 stable
Added to existing GLSA draft, ready for review.
This issue was resolved and addressed in GLSA 201412-28 at http://security.gentoo.org/glsa/glsa-201412-28.xml by GLSA coordinator Sean Amoss (ackle).