Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 200912-02 ] Ruby on Rails: Multiple vulnerabilities
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Advocate
Advocate


Joined: 12 May 2004
Posts: 2663

PostPosted: Sun Dec 20, 2009 12:26 pm    Post subject: [ GLSA 200912-02 ] Ruby on Rails: Multiple vulnerabilities Reply with quote

Gentoo Linux Security Advisory

Title: Ruby on Rails: Multiple vulnerabilities (GLSA 200912-02)
Severity: normal
Exploitable: remote
Date: December 20, 2009
Bug(s): #200159, #237385, #247549, #276279, #283396, #294797
ID: 200912-02

Synopsis


Multiple vulnerabilities have been discovered in Rails, the worst of which
leading to the execution of arbitrary SQL statements.


Background


Ruby on Rails is a web-application and persistence framework.


Affected Packages

Package: dev-ruby/rails
Vulnerable: < 2.2.2
Unaffected: >= 2.3.5
Unaffected: >= 2.2.3-r1 < 2.2.4
Architectures: All supported architectures


Description


The following vulnerabilities were discovered:
  • sameer
    reported that lib/action_controller/cgi_process.rb removes the
    :cookie_only attribute from the default session options
    (CVE-2007-6077), due to an incomplete fix for CVE-2007-5380 (GLSA
    200711-17).
  • Tobias Schlottke reported that the :limit and
    :offset parameters of ActiveRecord::Base.find() are not properly
    sanitized before being processed (CVE-2008-4094).
  • Steve from
    Coderrr reported that the CRSF protection in protect_from_forgery()
    does not parse the text/plain MIME format (CVE-2008-7248).
  • Nate reported a documentation error that leads to the assumption
    that a block returning nil passed to
    authenticate_or_request_with_http_digest() would deny access to the
    requested resource (CVE-2009-2422).
  • Brian Mastenbrook reported
    an input sanitation flaw, related to multibyte characters
    (CVE-2009-3009).
  • Gabe da Silveira reported an input sanitation
    flaw in the strip_tags() function (CVE-2009-4214).
  • Coda Hale
    reported an information disclosure vulnerability related to HMAC
    digests (CVE-2009-3086).


Impact


A remote attacker could send specially crafted requests to a vulnerable
application, possibly leading to the execution of arbitrary SQL
statements or a circumvention of access control. A remote attacker
could also conduct session fixation attacks to hijack a user's session
or bypass the CSRF protection mechanism, or furthermore conduct
Cross-Site Scripting attacks or forge a digest via multiple attempts.


Workaround


There is no known workaround at this time.


Resolution


All Ruby on Rails 2.3.x users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-ruby/rails-2.3.5"

All Ruby on Rails 2.2.x users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose "=dev-ruby/rails-2.2.3-r1"

NOTE: All applications using Ruby on Rails should also be configured to
use the latest version available by running "rake rails:update" inside
the application directory.


References

CVE-2007-5380
CVE-2007-6077
CVE-2008-4094
CVE-2008-7248
CVE-2009-2422
CVE-2009-3009
CVE-2009-3086
CVE-2009-4214
GLSA 200711-17


Last edited by GLSA on Mon Jun 10, 2013 4:30 am; edited 3 times in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum