Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 501750 (CVE-2014-0080) - <dev-ruby/rails-{3.2.17:3.2,4.0.3:4.0}: DoS and XSS vulnerability (CVE-2014-{0080,0081,0082})
Summary: <dev-ruby/rails-{3.2.17:3.2,4.0.3:4.0}: DoS and XSS vulnerability (CVE-2014-{...
Status: RESOLVED FIXED
Alias: CVE-2014-0080
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL: http://weblog.rubyonrails.org/2014/2/...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-19 06:54 UTC by Hans de Graaff
Modified: 2014-04-21 23:05 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2014-02-19 06:54:07 UTC
Data Injection Vulnerability in Active Record

There is a data injection vulnerability in Active Record. Specially
crafted strings can be used to save data in PostgreSQL array columns that may
not be intended. This vulnerability has been assigned the CVE identifier
CVE-2014-0080.

Versions Affected:  4.0.x, 4.1.0.beta1
Not affected:       3.2.x and older
Fixed Versions:     4.0.3, 4.1.0.beta2


XSS Vulnerability in number_to_currency, number_to_percentage and number_to_human

There is an XSS vulnerability in the number_to_currency, number_to_percentage
and number_to_human helpers in Ruby on Rails. This vulnerability has been
assigned the CVE identifier CVE-2014-0081.

Versions Affected:  All.
Fixed Versions:     4.1.0.beta2, 4.0.3, 3.2.17. 


Denial of Service Vulnerability in Action View when using render :text

There is a denial of service vulnerability in the text rendering component of
Action View. This vulnerability has been assigned the CVE identifier
CVE-2014-0082.

Versions Affected: 3.0.x, 3.1.x, 3.2.x
Not affected: 4.0.x
Fixed Versions: 3.2.17
Comment 1 Hans de Graaff gentoo-dev Security 2014-02-19 08:19:11 UTC
Rails 3.2.17 and 4.0.3 are now in the tree. There are no stable versions at the moment.
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-02-19 10:37:44 UTC
(In reply to Hans de Graaff from comment #1)
> Rails 3.2.17 and 4.0.3 are now in the tree. There are no stable versions at
> the moment.

Cleanup, please.
Comment 3 Hans de Graaff gentoo-dev Security 2014-04-21 13:01:30 UTC
Vulnerable versions have been removed.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2014-04-21 23:05:08 UTC
Maintainer(s), Thank you for cleanup!

No GLSA needed as there are no stable versions.