Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ruby-activerecord-3.2: CVE-2013-0155

Related Vulnerabilities: CVE-2013-0155  

Source

Debian Bug report logs - #697744
ruby-activerecord-3.2: CVE-2013-0155

version graph

Package: ruby-activerecord-3.2; Maintainer for ruby-activerecord-3.2 is (unknown);

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Wed, 9 Jan 2013 07:51:07 UTC

Severity: grave

Tags: security

Fixed in version ruby-activerecord-3.2/3.2.6-4

Done: Antonio Terceiro <terceiro@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#697744; Package ruby-activerecord-3.2. (Wed, 09 Jan 2013 07:51:10 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Wed, 09 Jan 2013 07:51:10 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ruby-activerecord-3.2: CVE-2013-0155
Date: Wed, 09 Jan 2013 08:48:08 +0100
Package: ruby-activerecord-3.2
Severity: grave
Tags: security
Justification: user security hole

Please see http://www.openwall.com/lists/oss-security/2013/01/08/13

"rails" from stable should not be affected, but please double-check.

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#697744; Package ruby-activerecord-3.2. (Wed, 09 Jan 2013 21:24:03 GMT) (full text, mbox, link).

Acknowledgement sent to Antonio Terceiro <terceiro@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Wed, 09 Jan 2013 21:24:03 GMT) (full text, mbox, link).

Message #10 received at 697744@bugs.debian.org (full text, mbox, reply):

From: Antonio Terceiro <terceiro@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 697744@bugs.debian.org
Subject: Re: Bug#697744: ruby-activerecord-3.2: CVE-2013-0155
Date: Wed, 9 Jan 2013 18:22:14 -0300
[Message part 1 (text/plain, inline)]
clone 697744 -1
reassign -1 ruby-actionpack-3.2
thanks

On Wed, Jan 09, 2013 at 08:48:08AM +0100, Moritz Muehlenhoff wrote:
> Package: ruby-activerecord-3.2
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Please see http://www.openwall.com/lists/oss-security/2013/01/08/13
> 
> "rails" from stable should not be affected, but please double-check.

The fix for this is actually spread over two packages, so I am cloning
this bug to the other one. Thanks for reporting.

-- 
Antonio Terceiro <terceiro@debian.org>

[signature.asc (application/pgp-signature, inline)]

Bug 697744 cloned as bug 697802 Request was from Antonio Terceiro <terceiro@debian.org> to control@bugs.debian.org. (Wed, 09 Jan 2013 21:24:05 GMT) (full text, mbox, link).

Reply sent to Antonio Terceiro <terceiro@debian.org>:
You have taken responsibility. (Wed, 09 Jan 2013 21:51:18 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Wed, 09 Jan 2013 21:51:18 GMT) (full text, mbox, link).

Message #17 received at 697744-close@bugs.debian.org (full text, mbox, reply):

From: Antonio Terceiro <terceiro@debian.org>
To: 697744-close@bugs.debian.org
Subject: Bug#697744: fixed in ruby-activerecord-3.2 3.2.6-4
Date: Wed, 09 Jan 2013 21:48:27 +0000
Source: ruby-activerecord-3.2
Source-Version: 3.2.6-4

We believe that the bug you reported is fixed in the latest version of
ruby-activerecord-3.2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 697744@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antonio Terceiro <terceiro@debian.org> (supplier of updated ruby-activerecord-3.2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 09 Jan 2013 18:18:07 -0300
Source: ruby-activerecord-3.2
Binary: ruby-activerecord-3.2
Architecture: source all
Version: 3.2.6-4
Distribution: unstable
Urgency: high
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Antonio Terceiro <terceiro@debian.org>
Description: 
 ruby-activerecord-3.2 - object-relational mapper framework (part of Rails)
Closes: 697744
Changes: 
 ruby-activerecord-3.2 (3.2.6-4) unstable; urgency=high
 .
   * debian/patches/CVE-2013-0155.patch: fix Unsafe Query Generation Risk
     [CVE-2013-0155] (Closes: #697744).
Checksums-Sha1: 
 8875732d11430ef841d502b42a05f32eb1679733 1645 ruby-activerecord-3.2_3.2.6-4.dsc
 c58e6f67cdb6cd2e10cdeb82ae547aa77ee9a341 4264 ruby-activerecord-3.2_3.2.6-4.debian.tar.gz
 c3e447c369b7f806bff366c4d8e76504f2332dd4 393530 ruby-activerecord-3.2_3.2.6-4_all.deb
Checksums-Sha256: 
 a2276ffcea1b296a18c4001f21381de89da2a18164cacc79a7aa51fb745f97a1 1645 ruby-activerecord-3.2_3.2.6-4.dsc
 b6ddaea38144c3b1a0d63a1203bdeebd5b90f9768cb5d26492548e9d3de3963f 4264 ruby-activerecord-3.2_3.2.6-4.debian.tar.gz
 ee6bd4e6c16a4ddb4769027583fd2bb8c79fba7c704f17e782fd507ba29ccde8 393530 ruby-activerecord-3.2_3.2.6-4_all.deb
Files: 
 db8378d85c7f1280d5e4bf8cf26e0d46 1645 ruby optional ruby-activerecord-3.2_3.2.6-4.dsc
 e07e6592bc2e8c524200aa07204aa828 4264 ruby optional ruby-activerecord-3.2_3.2.6-4.debian.tar.gz
 a4ab092bcf8dbbb6d39612cefb8badf5 393530 ruby optional ruby-activerecord-3.2_3.2.6-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlDt43kACgkQDOM8kQ+cso/NSgCfRRkAS+acgfIvVoyGV0FIE/rG
IXYAnRFGSnxm0z+/Y2HVg61L2/RMOMlX
=ElWk
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 09 Feb 2013 07:26:56 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:58:55 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started