Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2012-3463 CVE-2012-3464 CVE-2012-3465

Source

Debian Bug report logs - #684454
ruby-actionpack-3.2: CVE-2012-3463 / CVE-2012-3464 / CVE-2012-3465

Package: ruby-actionpack-3.2; Maintainer for ruby-actionpack-3.2 is (unknown);

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Fri, 10 Aug 2012 07:30:02 UTC

Severity: grave

Tags: security

Fixed in version ruby-actionpack-3.2/3.2.6-4

Done: Antonio Terceiro <terceiro@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#684454; Package ruby-actionpack-3.2. (Fri, 10 Aug 2012 07:30:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Fri, 10 Aug 2012 07:30:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: ruby-actionpack-3.2
Severity: grave
Tags: security
Justification: user security hole

Please see

CVE-2012-3465
http://www.openwall.com/lists/oss-security/2012/08/09/9


CVE-2012-3464
http://www.openwall.com/lists/oss-security/2012/08/09/10


CVE-2012-3463
http://www.openwall.com/lists/oss-security/2012/08/09/8

Since Wheezy is frozen, please use the isolated patches instead of updating to
3.2.8


Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#684454; Package ruby-actionpack-3.2. (Fri, 10 Aug 2012 16:27:08 GMT) (full text, mbox, link).

Acknowledgement sent to Antonio Terceiro <terceiro@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Fri, 10 Aug 2012 16:27:08 GMT) (full text, mbox, link).

Message #10 received at 684454@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

clone 684454 -1
reassign -1 ruby-activesupport-3.2
retitle -1 ruby-activesupport-3.2: CVE-2012-3464
thanks

Moritz Muehlenhoff escreveu isso aí:
> Package: ruby-actionpack-3.2
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Please see
> 
> CVE-2012-3465
> http://www.openwall.com/lists/oss-security/2012/08/09/9
> 
> 
> CVE-2012-3464
> http://www.openwall.com/lists/oss-security/2012/08/09/10
> 
> 
> CVE-2012-3463
> http://www.openwall.com/lists/oss-security/2012/08/09/8
> 
> Since Wheezy is frozen, please use the isolated patches instead of updating to
> 3.2.8

the patch for CVE-2012-3464 has to be split between ruby-actionpack-3.2
and ruby-activesupport-3.2.

I am working on this, expect uploads RSN.

-- 
Antonio Terceiro <terceiro@debian.org>

[signature.asc (application/pgp-signature, inline)]

Bug 684454 cloned as bug 684517 Request was from Antonio Terceiro <terceiro@debian.org> to control@bugs.debian.org. (Fri, 10 Aug 2012 17:21:08 GMT) (full text, mbox, link).

Reply sent to Antonio Terceiro <terceiro@debian.org>:
You have taken responsibility. (Fri, 10 Aug 2012 17:33:16 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Fri, 10 Aug 2012 17:33:16 GMT) (full text, mbox, link).

Message #17 received at 684454-close@bugs.debian.org (full text, mbox, reply):

Source: ruby-actionpack-3.2
Source-Version: 3.2.6-4

We believe that the bug you reported is fixed in the latest version of
ruby-actionpack-3.2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 684454@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antonio Terceiro <terceiro@debian.org> (supplier of updated ruby-actionpack-3.2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 10 Aug 2012 13:08:08 -0300
Source: ruby-actionpack-3.2
Binary: ruby-actionpack-3.2
Architecture: source all
Version: 3.2.6-4
Distribution: unstable
Urgency: high
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Antonio Terceiro <terceiro@debian.org>
Description: 
 ruby-actionpack-3.2 - web-flow and rendering framework putting the VC in MVC (part of R
Closes: 684454
Changes: 
 ruby-actionpack-3.2 (3.2.6-4) unstable; urgency=high
 .
   * Add patches for security problems (Closes: #684454):
     + CVE-2012-3463 - Ruby on Rails Potential XSS Vulnerability in select_tag
       prompt
     + CVE-2012-3465 - XSS Vulnerability in strip_tags
     + Both patches were edited from their original versions in two ways:
       - the leading a/ and b/ from the filenames were stripped
       - changes over test files were removed, since the Debian package
         contains no test files.
Checksums-Sha1: 
 38d9541007135c215ea4a6c3de5517638d33e6e8 1683 ruby-actionpack-3.2_3.2.6-4.dsc
 c598b0bc82b33735f7061846ebee54a212eb2808 4307 ruby-actionpack-3.2_3.2.6-4.debian.tar.gz
 d1ecf1fe0596cc5e714a28fd9e93c4dd5dd3f85f 387618 ruby-actionpack-3.2_3.2.6-4_all.deb
Checksums-Sha256: 
 f110bcba58e48a2aad548830c892d661c63113fb5a1c5b182d9741dfd66fc697 1683 ruby-actionpack-3.2_3.2.6-4.dsc
 2e1266853a1ffd22e456bbad283b0fdcf1eb04b1f1b92fe9f863f164b588844a 4307 ruby-actionpack-3.2_3.2.6-4.debian.tar.gz
 c5bd73bbf085d8059fb3ff4459d19aa97380aa0a6ae9442f41184ec27aaa0d21 387618 ruby-actionpack-3.2_3.2.6-4_all.deb
Files: 
 d1b71c00580f03e8d8bd9c9140d0a51a 1683 ruby optional ruby-actionpack-3.2_3.2.6-4.dsc
 9baaa0b914285aef6f15de0c52ad78a5 4307 ruby optional ruby-actionpack-3.2_3.2.6-4.debian.tar.gz
 5029f55804c25a69d7fcf345d1439a8b 387618 ruby optional ruby-actionpack-3.2_3.2.6-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlAlQtMACgkQDOM8kQ+cso8q3QCdGRsTvclVtO4dTxFfFgKxDZol
AQwAnj3QNOWjvuluYm/xKviLrlpZZSLG
=ZyG4
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 11 Sep 2012 07:29:00 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:30:47 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

ruby-actionpack-3.2: CVE-2012-3463 / CVE-2012-3464 / CVE-2012-3465

Debian Bug report logs - #684454
ruby-actionpack-3.2: CVE-2012-3463 / CVE-2012-3464 / CVE-2012-3465

Vulmon Search

About

Products

Connect

ruby-actionpack-3.2: CVE-2012-3463 / CVE-2012-3464 / CVE-2012-3465

Debian Bug report logs - #684454 ruby-actionpack-3.2: CVE-2012-3463 / CVE-2012-3464 / CVE-2012-3465

Vulmon Search

About

Products

Connect

Debian Bug report logs - #684454
ruby-actionpack-3.2: CVE-2012-3463 / CVE-2012-3464 / CVE-2012-3465