Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

rails: CVE-2016-6317: unsafe query generation in Active Record

Related Vulnerabilities: CVE-2016-6317   CVE-2016-6316  

Source

Debian Bug report logs - #834154
rails: CVE-2016-6317: unsafe query generation in Active Record

version graph

Package: src:rails; Maintainer for src:rails is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 12 Aug 2016 15:15:11 UTC

Severity: important

Tags: security, upstream

Found in version rails/2:4.2.6-2

Fixed in version rails/2:4.2.7.1-1

Done: Antonio Terceiro <terceiro@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#834154; Package src:rails. (Fri, 12 Aug 2016 15:15:15 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Fri, 12 Aug 2016 15:15:15 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: rails: CVE-2016-6317: unsafe query generation in Active Record
Date: Fri, 12 Aug 2016 17:14:15 +0200
Source: rails
Version: 2:4.2.6-2
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for rails.

CVE-2016-6317[0]:
unsafe query generation in Active Record

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-6317
[1] https://groups.google.com/forum/#!msg/rubyonrails-security/rgO20zYW33s/gmamLa-wDAAJ

Regards,
Salvatore

Reply sent to Antonio Terceiro <terceiro@debian.org>:
You have taken responsibility. (Mon, 22 Aug 2016 18:09:05 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Mon, 22 Aug 2016 18:09:05 GMT) (full text, mbox, link).

Message #10 received at 834154-close@bugs.debian.org (full text, mbox, reply):

From: Antonio Terceiro <terceiro@debian.org>
To: 834154-close@bugs.debian.org
Subject: Bug#834154: fixed in rails 2:4.2.7.1-1
Date: Mon, 22 Aug 2016 18:04:33 +0000
Source: rails
Source-Version: 2:4.2.7.1-1

We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 834154@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antonio Terceiro <terceiro@debian.org> (supplier of updated rails package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 22 Aug 2016 14:33:48 -0300
Source: rails
Binary: ruby-activesupport ruby-activerecord ruby-activemodel ruby-activejob ruby-actionview ruby-actionpack ruby-actionmailer ruby-railties ruby-rails rails
Architecture: source
Version: 2:4.2.7.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Antonio Terceiro <terceiro@debian.org>
Description:
 rails      - MVC ruby based framework geared for web application development (
 ruby-actionmailer - email composition, delivery, and receiving framework (part of Rai
 ruby-actionpack - web-flow and rendering framework putting the VC in MVC (part of R
 ruby-actionview - framework for handling view template lookup and rendering (part o
 ruby-activejob - job framework with pluggable queues
 ruby-activemodel - toolkit for building modeling frameworks (part of Rails)
 ruby-activerecord - object-relational mapper framework (part of Rails)
 ruby-activesupport - Support and utility classes used by the Rails 4.1 framework
 ruby-rails - MVC ruby based framework geared for web application development
 ruby-railties - tools for creating, working with, and running Rails applications
Closes: 834154 834155
Changes:
 rails (2:4.2.7.1-1) unstable; urgency=medium
 .
   * New upstream release; includes fixes for the following issues:
     - CVE-2016-6317: unsafe query generation in Active Record (Closes: #834154)
     - CVE-2016-6316: Possible XSS Vulnerability in Action View (Closes: #834155)
   * debian/watch: restrict to the 4.x series for now
Checksums-Sha1:
 c3fd66b8e85c3aa9f36474fbcb183ce926638e7e 3459 rails_4.2.7.1-1.dsc
 d8389a376f2b03547b1ce8f8df26f69f85e65d42 4181681 rails_4.2.7.1.orig.tar.gz
 0d71c6cf7ad9aad4b7178d61f86a6d74ee395abf 91812 rails_4.2.7.1-1.debian.tar.xz
Checksums-Sha256:
 1c48dfb0d1f1381af0837743a406fcde4df5e514d0de980bcbb631337b84e86e 3459 rails_4.2.7.1-1.dsc
 bfa7854f1b35e449b78db2af83fe660f17b101a487728fcfc6fb623967fb4783 4181681 rails_4.2.7.1.orig.tar.gz
 b77f47304b2cce12e6bea028aed45b07a4dcc91abbdb09d4ffa25b8bd9ef372b 91812 rails_4.2.7.1-1.debian.tar.xz
Files:
 8a61dbe7a7f377ddf0878748df21bf5a 3459 ruby optional rails_4.2.7.1-1.dsc
 d6755586a995283c91f15d857ef74387 4181681 ruby optional rails_4.2.7.1.orig.tar.gz
 e3ba9158d7216018f2bebe80b362de6a 91812 ruby optional rails_4.2.7.1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJXuzyMAAoJEPwNsbvNRgveqJcP/3O6aOj5QN4bLqDdyPOjT5+l
KIJhT9L2tFBa0n7XafW8BSjfBdu0fb2Pgo7GabgetTCSy4fhIIpSOM4slSooTafL
xP6hQcA4WRQ8ni++N+34/85IHaPRaN8hHlXrsHzH0sZRWswdXQY3LBGZXsx4NGRJ
ziLTHyYfyILHKl+uNxiT6C6y/rXqcWh+6N17Z036SlUp9dDMGf/egfYtNOkJux1I
y8RfrprYTKOJLWk5Z0RKyb5fD1e+SJs3GtYAADWKGXsYjHTF/n7EqUMmPqLzPaCH
CHvO9XWM32r1oe3PyGouLK0dTnW2hTim54SqW/NqaAwmhvUWd5IPH0z56gs4XIPE
0yKGnXTNeV6b+UPNYow1+fiZstn+rLw3cu39k/NrZg5eqhCH/nq04njEm8/OZYCR
Chcohr9DmIf5jfK9282BeU7x+do+EF9xFnuoqQQ39rUBE92ga38XahfokyKuyLu0
M1K8vCP0XhH4bsSKBZc+/9hA9E2/5CI79Vmw4LxjlmeAKxhCKys396wtiiuORtf4
ybDLohNMvLyioLtDHcjU2ph9ESYdgysGc1Jlh9VHgmNf+oXTHwT/eI1UM7e0NeO0
rmnyjC+cGoG74lker3ZtUqc/hYZ3AddlirP3h8M4mbqfiNhb1N/pStH7sGthgFrg
CMHQzgwiEXRJUvF22oxE
=y1sI
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 25 Sep 2016 07:27:58 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:18:00 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started