Debian Bug report logs -
#731290
ruby-actionpack-4.0: multiple vulnerabilities [CVE-2013-6414 CVE-2013-4491 CVE-2013-6415 CVE-2013-6417 CVE-2013-6416]
Reported by: Antonio Terceiro <terceiro@debian.org>
Date: Wed, 4 Dec 2013 01:09:01 UTC
Severity: grave
Tags: patch, security, upstream
Fixed in version 4.0.2-1
Done: Ondřej Surý <ondrej@sury.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
:
Bug#731288
; Package ruby-actionpack-3.2
.
(Wed, 04 Dec 2013 01:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Antonio Terceiro <terceiro@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
.
(Wed, 04 Dec 2013 01:09:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: ruby-actionpack-3.2
Severity: grave
Tags: security upstream patch
Justification: user security hole
Control: clone -1 -2 -3
Control: reassign -2 ruby-actionpack-2.3
Control: retitle -2 ruby-actionpack-2.3: multiple vulnerabilities [CVE-2013-6414 CVE-2013-4491 CVE-2013-6415 CVE-2013-6417 CVE-2013-6416]
Control: reassign -3 ruby-actionpack-4.0
Control: retitle -3 ruby-actionpack-4.0: multiple vulnerabilities [CVE-2013-6414 CVE-2013-4491 CVE-2013-6415 CVE-2013-6417 CVE-2013-6416]
New vulnerabilities were just disclosed in the rubyonrails-security mailing
list. Not all of them apply to all packages and versions, but most of them do.
Fixes fox Rails 2.3 were not provided so they will be a little harder to come
up with.
[CVE-2013-6414] Denial of Service Vulnerability in Action View
https://groups.google.com/forum/#!topic/rubyonrails-security/A-ebV4WxzKg
[CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails
https://groups.google.com/forum/#!topic/rubyonrails-security/pLrh6DUw998
[CVE-2013-6415] XSS Vulnerability in number_to_currency
https://groups.google.com/forum/#!topic/rubyonrails-security/9WiRn2nhfq0
[CVE-2013-6417] Incomplete fix to CVE-2013-0155 (Unsafe Query Generation
Risk)
https://groups.google.com/forum/#!topic/rubyonrails-security/niK4drpSHT4
[CVE-2013-6416] XSS Vulnerability in simple_format helper
https://groups.google.com/forum/#!topic/rubyonrails-security/5ZI1-H5OoIM
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.11-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages ruby-actionpack-3.2 depends on:
ii ruby 1:1.9.3
ii ruby-activemodel-3.2 3.2.13-5
ii ruby-activerecord-3.2 3.2.13-4
ii ruby-activesupport-3.2 3.2.13-3
ii ruby-builder 3.2.0-1
ii ruby-erubis 2.7.0-2
ii ruby-journey 1.0.4-1
ii ruby-rack 1:1.4.5-1
ii ruby-rack-cache 1.2-2
ii ruby-rack-test 0.6.2-1
ii ruby-sprockets 2.4.3-1
ii ruby-tzinfo 1.0.1-1
ii ruby1.8 [ruby-interpreter] 1.8.7.358-9
ii ruby1.9.1 [ruby-interpreter] 1.9.3.484-1
ii ruby2.0 [ruby-interpreter] 2.0.0.353-1
ruby-actionpack-3.2 recommends no packages.
ruby-actionpack-3.2 suggests no packages.
-- no debconf information
--
Antonio Terceiro <terceiro@debian.org>
[signature.asc (application/pgp-signature, inline)]
Bug 731288 cloned as bugs 731289, 731290
Request was from Antonio Terceiro <terceiro@debian.org>
to submit@bugs.debian.org
.
(Wed, 04 Dec 2013 01:09:06 GMT) (full text, mbox, link).
Changed Bug title to 'ruby-actionpack-4.0: multiple vulnerabilities [CVE-2013-6414 CVE-2013-4491 CVE-2013-6415 CVE-2013-6417 CVE-2013-6416]' from 'ruby-actionpack-3.2: multiple vulnerabilities [CVE-2013-6414 CVE-2013-4491 CVE-2013-6415 CVE-2013-6417 CVE-2013-6416]'
Request was from Antonio Terceiro <terceiro@debian.org>
to submit@bugs.debian.org
.
(Wed, 04 Dec 2013 01:09:09 GMT) (full text, mbox, link).
Reply sent
to Ondřej Surý <ondrej@sury.org>
:
You have taken responsibility.
(Thu, 05 Dec 2013 10:51:05 GMT) (full text, mbox, link).
Notification sent
to Antonio Terceiro <terceiro@debian.org>
:
Bug acknowledged by developer.
(Thu, 05 Dec 2013 10:51:05 GMT) (full text, mbox, link).
Message #16 received at 731290-done@bugs.debian.org (full text, mbox, reply):
Version: 4.0.2-1
--
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 03 Jan 2014 07:32:06 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:53:18 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.