Debian Bug report logs -
#558685
rails: [CVE-2009-4214] Cross-site scripting (XSS) vulnerability in the strip_tags
Reported by: Michael Gilbert <michael.s.gilbert@gmail.com>
Date: Sun, 29 Nov 2009 20:21:02 UTC
Severity: serious
Tags: security
Found in version rails/2.2.3-1
Fixed in version rails/2.2.3-2
Done: Adam Majer <adamm@zombino.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Adam Majer <adamm@zombino.com>
:
Bug#558685
; Package rails
.
(Sun, 29 Nov 2009 20:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>
:
New Bug report received and forwarded. Copy sent to Adam Majer <adamm@zombino.com>
.
(Sun, 29 Nov 2009 20:21:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
package: rails
version: 2.2.3-1
severity: serious
tags: security
hi,
two security vulnerabilities have been disclosed for rails:
1. xss (http://www.openwall.com/lists/oss-security/2009/11/27/2)
- note claimed fixed in version 2.3.5; please check.
2. cross-site request forgery (http://www.openwall.com/lists/oss-security/2009/11/28/1)
- note claimed fixed in version 2.2.2, which is already in sid, but
please check to confirm this is true.
etch/lenny are likely affected, but i haven't personally checked. please
determine whether this is true. if they are affected, these issues seem
severe enough to issue a DSA, so please work with the securitiy team on
that.
thanks,
mike
Information forwarded
to debian-bugs-dist@lists.debian.org, Adam Majer <adamm@zombino.com>
:
Bug#558685
; Package rails
.
(Thu, 24 Dec 2009 12:00:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Steffen Joeris <steffen.joeris@skolelinux.de>
:
Extra info received and forwarded to list. Copy sent to Adam Majer <adamm@zombino.com>
.
(Thu, 24 Dec 2009 12:00:03 GMT) (full text, mbox, link).
Message #10 received at 558685@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Adam
These issues have been assigned CVE ids, see below:
CVE-2009-4214[0]:
| Cross-site scripting (XSS) vulnerability in the strip_tags function in
| Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote
| attackers to inject arbitrary web script or HTML via vectors involving
| non-printing ASCII characters, related to HTML::Tokenizer and
| actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.
CVE-2008-7248[1]:
| Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify
| tokens for requests with certain content types, which allows remote
| attackers to bypass cross-site request forgery (CSRF) protection for
| requests to applications that rely on this protection, as demonstrated
| using text/plain.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
CVE-2008-7248 does not seem to affect lenny since it does not include 'text' in
the @@unverifiable_types. The upstream patch for this issue is here[2] and
needs to be included in the sid version.
CVE-2009-4214 affects lenny as well and the upstream patch is here[3], please
have a deeper look at that change, because I didn't. :)
I guess due to CVE-2009-4214 we could fix this via a DSA. When you prepare the
updated packages for lenny, please also include a fix for CVE-2009-3086[4].
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4214
http://security-tracker.debian.org/tracker/CVE-2009-4214
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7248
http://security-tracker.debian.org/tracker/CVE-2008-7248
[2]
http://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a
[3]
http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5
[4] http://security-tracker.debian.org/tracker/CVE-2009-3086
Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Adam Majer <adamm@zombino.com>
:
Bug#558685
; Package rails
.
(Sat, 30 Jan 2010 17:51:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Ryan Niebur <ryan@debian.org>
:
Extra info received and forwarded to list. Copy sent to Adam Majer <adamm@zombino.com>
.
(Sat, 30 Jan 2010 17:51:02 GMT) (full text, mbox, link).
Message #15 received at 558685@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Fri, Jan 08, 2010 at 12:13:36AM +0100, Moritz Muehlenhoff wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: rm
>
> Please remove rails. It has open security issues, which haven't been
> acknowledged for six weeks.
>
I'll work on NMUs to fix this.
--
_________________________
Ryan Niebur
ryanryan52@gmail.com
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Adam Majer <adamm@zombino.com>
:
Bug#558685
; Package rails
.
(Sat, 30 Jan 2010 19:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Micah Anderson <micah@riseup.net>
:
Extra info received and forwarded to list. Copy sent to Adam Majer <adamm@zombino.com>
.
(Sat, 30 Jan 2010 19:42:04 GMT) (full text, mbox, link).
Message #20 received at 558685@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
* Steffen Joeris <steffen.joeris@skolelinux.de> [2010-01-30 17:13-0500]:
> Hi Adam
>
> These issues have been assigned CVE ids, see below:
>
> CVE-2009-4214[0]:
> | Cross-site scripting (XSS) vulnerability in the strip_tags function in
> | Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote
> | attackers to inject arbitrary web script or HTML via vectors involving
> | non-printing ASCII characters, related to HTML::Tokenizer and
> | actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.
>
> CVE-2008-7248[1]:
> | Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify
> | tokens for requests with certain content types, which allows remote
> | attackers to bypass cross-site request forgery (CSRF) protection for
> | requests to applications that rely on this protection, as demonstrated
> | using text/plain.
>
> CVE-2008-7248 does not seem to affect lenny since it does not include 'text' in
> the @@unverifiable_types. The upstream patch for this issue is here[2] and
> needs to be included in the sid version.
I can confirm that the lenny version does not include 'text' in the
@@unverifiable_types in the mime_type.rb.
I also can confirm that the sid/squeeze version contains 'text', and
thus they are affected and need updating.
> CVE-2009-4214 affects lenny as well and the upstream patch is here[3], please
> have a deeper look at that change, because I didn't. :)
I can confirm that this one affects lenny.
It also affects the sid/squeeze version, so this will need to be updated
as well.
> I guess due to CVE-2009-4214 we could fix this via a DSA. When you prepare the
> updated packages for lenny, please also include a fix for CVE-2009-3086[4].
Sounds like a DSA for Lenny which hits both CVEs, as well as an upload
to sid, with urgency=high, seems to be the name of the game here.
micah
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#558685
; Package rails
.
(Sat, 30 Jan 2010 21:30:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Adam Majer <adamm@zombino.com>
:
Extra info received and forwarded to list.
(Sat, 30 Jan 2010 21:30:07 GMT) (full text, mbox, link).
Message #25 received at 558685@bugs.debian.org (full text, mbox, reply):
On Sat, Jan 30, 2010 at 09:47:30AM -0800, Ryan Niebur wrote:
> On Fri, Jan 08, 2010 at 12:13:36AM +0100, Moritz Muehlenhoff wrote:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian.org@packages.debian.org
> > Usertags: rm
> >
> > Please remove rails. It has open security issues, which haven't been
> > acknowledged for six weeks.
> >
>
> I'll work on NMUs to fix this.
Well, it's just a very simple fix for Sid. I kind of overlooked and
forgotten about this for some time. If you haven't done anything, I
can upload the sid fix now.
- Adam
Reply sent
to Adam Majer <adamm@zombino.com>
:
You have taken responsibility.
(Sat, 30 Jan 2010 22:51:14 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <michael.s.gilbert@gmail.com>
:
Bug acknowledged by developer.
(Sat, 30 Jan 2010 22:51:14 GMT) (full text, mbox, link).
Message #30 received at 558685-close@bugs.debian.org (full text, mbox, reply):
Source: rails
Source-Version: 2.2.3-2
We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive:
rails_2.2.3-2.diff.gz
to main/r/rails/rails_2.2.3-2.diff.gz
rails_2.2.3-2.dsc
to main/r/rails/rails_2.2.3-2.dsc
rails_2.2.3-2_all.deb
to main/r/rails/rails_2.2.3-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 558685@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adam Majer <adamm@zombino.com> (supplier of updated rails package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 30 Jan 2010 15:43:08 -0600
Source: rails
Binary: rails
Architecture: source all
Version: 2.2.3-2
Distribution: unstable
Urgency: high
Maintainer: Adam Majer <adamm@zombino.com>
Changed-By: Adam Majer <adamm@zombino.com>
Description:
rails - MVC ruby based framework geared for web application development
Closes: 558685
Changes:
rails (2.2.3-2) unstable; urgency=high
.
* Make sure strip_tags removes tags which start with a non-printable
character. (closes: #558685) [CVE-2009-4214]
* Merge in a few additional encoding changes.
Checksums-Sha1:
e8ce4d2bf949ca98bc241c03cafb7df80612a53e 1253 rails_2.2.3-2.dsc
483620fbdf804d74f72ba3f25a7397590006bcd2 15141 rails_2.2.3-2.diff.gz
363891c36b570d35ec1f109a5870e1df62cc4351 3434778 rails_2.2.3-2_all.deb
Checksums-Sha256:
b6f9bce4d5f7dc69f4bbf250b0d5d12c7a616c656904bcccd189b72ecc1b9963 1253 rails_2.2.3-2.dsc
b067ee68c358b96b11f298bfa9adbbea9eb53ca3270f5b0a2610c7993efa361c 15141 rails_2.2.3-2.diff.gz
eaa7a47ede44975e409637f68d785148f9b12c9dccb3bf3be4d455c250323231 3434778 rails_2.2.3-2_all.deb
Files:
009ba0a09196e9e5b47db683cc11887c 1253 ruby optional rails_2.2.3-2.dsc
d9fa90d78db3b4907d7b6c285117378a 15141 ruby optional rails_2.2.3-2.diff.gz
0a49ba2c98416af5a02558c8d549d9ed 3434778 ruby optional rails_2.2.3-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktksZwACgkQ73/bNdaAYUXk6QCguASjQssjeWmXykKso+W82GHt
u1MAoLd97q4p+YtseYVW/dlaKRF0SUQG
=CPve
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#558685
; Package rails
.
(Sat, 30 Jan 2010 23:51:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Adam Majer <adamm@zombino.com>
:
Extra info received and forwarded to list.
(Sat, 30 Jan 2010 23:51:03 GMT) (full text, mbox, link).
Message #35 received at 558685@bugs.debian.org (full text, mbox, reply):
retitle 558685 rails: [CVE-2009-4214] Cross-site scripting (XSS) vulnerability in the strip_tags
thanks
Only CVE-2009-4214 is applicable.
CVE-2008-7248 was fixed in 2.1.0-6. Sid is not affected by this.
- Adam
Changed Bug title to 'rails: [CVE-2009-4214] Cross-site scripting (XSS) vulnerability in the strip_tags' from 'rails: multiple vulnerabilities'
Request was from Adam Majer <adamm@zombino.com>
to control@bugs.debian.org
.
(Sat, 30 Jan 2010 23:51:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 28 Feb 2010 07:46:53 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:16:51 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.