Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

rails: CVE-2015-3226: XSS in ActiveSupport::JSON.encode

Related Vulnerabilities: CVE-2015-3226   CVE-2015-3227   CVE-2015-7576   CVE-2016-0751   CVE-2015-7577   CVE-2016-0752   CVE-2016-0753   CVE-2015-7581  

Source

Debian Bug report logs - #790486
rails: CVE-2015-3226: XSS in ActiveSupport::JSON.encode

version graph

Package: src:rails; Maintainer for src:rails is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Mon, 29 Jun 2015 18:36:01 UTC

Severity: important

Tags: fixed-upstream, patch, security, upstream

Found in version rails/2:4.1.8-1

Fixed in versions rails/2:4.1.8-1+deb8u1, rails/2:4.2.3-1

Done: Antonio Terceiro <terceiro@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#790486; Package src:rails. (Mon, 29 Jun 2015 18:36:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Mon, 29 Jun 2015 18:36:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: rails: CVE-2015-3226: XSS in ActiveSupport::JSON.encode
Date: Mon, 29 Jun 2015 20:32:49 +0200
Source: rails
Version: 2:4.1.8-1
Severity: important
Tags: security upstream patch fixed-upstream

Hi,

the following vulnerability was published for rails.

CVE-2015-3226[0]:
XSS Vulnerability in ActiveSupport::JSON.encode

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-3226
[1] http://seclists.org/oss-sec/2015/q2/732

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply sent to Antonio Terceiro <terceiro@debian.org>:
You have taken responsibility. (Tue, 02 Feb 2016 21:36:04 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 02 Feb 2016 21:36:05 GMT) (full text, mbox, link).

Message #10 received at 790486-close@bugs.debian.org (full text, mbox, reply):

From: Antonio Terceiro <terceiro@debian.org>
To: 790486-close@bugs.debian.org
Subject: Bug#790486: fixed in rails 2:4.1.8-1+deb8u1
Date: Tue, 02 Feb 2016 21:32:11 +0000
Source: rails
Source-Version: 2:4.1.8-1+deb8u1

We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 790486@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antonio Terceiro <terceiro@debian.org> (supplier of updated rails package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 28 Jan 2016 11:12:33 -0200
Source: rails
Binary: ruby-activesupport ruby-activesupport-2.3 ruby-activerecord ruby-activemodel ruby-actionview ruby-actionpack ruby-actionmailer ruby-railties ruby-rails rails
Architecture: source all
Version: 2:4.1.8-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Antonio Terceiro <terceiro@debian.org>
Description:
 rails      - MVC ruby based framework geared for web application development (
 ruby-actionmailer - email composition, delivery, and receiving framework (part of Rai
 ruby-actionpack - web-flow and rendering framework putting the VC in MVC (part of R
 ruby-actionview - framework for handling view template lookup and rendering (part o
 ruby-activemodel - toolkit for building modeling frameworks (part of Rails)
 ruby-activerecord - object-relational mapper framework (part of Rails)
 ruby-activesupport - Support and utility classes used by the Rails 4.1 framework
 ruby-activesupport-2.3 - transitional dummy package
 ruby-rails - MVC ruby based framework geared for web application development
 ruby-railties - tools for creating, working with, and running Rails applications
Closes: 790486 790487
Changes:
 rails (2:4.1.8-1+deb8u1) jessie-security; urgency=high
 .
   * Security updates:
     - [CVE-2015-3227] Possible Denial of Service attack in Active Support
                       (Closes: #790487)
     - [CVE-2015-3226] XSS Vulnerability in ActiveSupport::JSON.encode
                       (Closes: #790486)
     - [CVE-2015-7576] Timing attack vulnerability in basic authentication in
                       Action Controller.
     - [CVE-2016-0751] Possible Object Leak and Denial of Service attack in
                       Action Pack
     - [CVE-2015-7577] Nested attributes rejection proc bypass in Active Record.
     - [CVE-2016-0752] Possible Information Leak Vulnerability in Action View
     - [CVE-2016-0753] Possible Input Validation Circumvention in Active Model
     - [CVE-2015-7581] Object leak vulnerability for wildcard controller routes
                       in Action Pack
Checksums-Sha1:
 5af0f3af8581c2351ea1d17f839ad50267ffa30a 2571 rails_4.1.8-1+deb8u1.dsc
 b9b860ebcc29bc0e208c1eec50842db9bb92765b 3711426 rails_4.1.8.orig.tar.gz
 694f990cbe66eb9e71fe5b472a4173ef9a79b55a 96348 rails_4.1.8-1+deb8u1.debian.tar.xz
 a87d5fd188153e868b50b15f03d4e8a7636ac783 207146 ruby-activesupport_4.1.8-1+deb8u1_all.deb
 a7e42fef7dbd89058e501c01e104ee2a52e420a9 11240 ruby-activesupport-2.3_4.1.8-1+deb8u1_all.deb
 e5c48f45290ab0b14a65dc8db8a4dd80afa9b4ae 268258 ruby-activerecord_4.1.8-1+deb8u1_all.deb
 b70225fe51f918dfe668be5d527e71a82b09ca86 48498 ruby-activemodel_4.1.8-1+deb8u1_all.deb
 8a1f20fc1d907fb25ca7810f47fcc2be36b8b323 141166 ruby-actionview_4.1.8-1+deb8u1_all.deb
 35ff79de09f5ff7412864597c5258bafcda78c37 169578 ruby-actionpack_4.1.8-1+deb8u1_all.deb
 49702140b6de57235ad97834eaf0ddfb5fdca827 31464 ruby-actionmailer_4.1.8-1+deb8u1_all.deb
 9321fe13c60dd7f21dc948a4b6f80300079807ec 118956 ruby-railties_4.1.8-1+deb8u1_all.deb
 8ac15713231e210e9c70704f6d3d95583048ee74 16294 ruby-rails_4.1.8-1+deb8u1_all.deb
 552bee75f73832a73c52f064f8946402ab9b18b4 11502 rails_4.1.8-1+deb8u1_all.deb
Checksums-Sha256:
 c97cea8875033299dd7aed692720ac5d480f947564a947ab1f1be9b7d5046ae5 2571 rails_4.1.8-1+deb8u1.dsc
 419e7cdd8e7fd2b2d45d3a37fb37f01b70ada51db77ca116f83636711d845814 3711426 rails_4.1.8.orig.tar.gz
 675e009ceb2b184b0f66da05c7b74c5c322d72cd51d3a4559ec0e5052ce94cc5 96348 rails_4.1.8-1+deb8u1.debian.tar.xz
 5031053aa135539aa2d0e4fc75d8702ed719bafec35bd270d6506642371ec811 207146 ruby-activesupport_4.1.8-1+deb8u1_all.deb
 3883dc073d2a5be3e94c0b27141396c15fa74496f4d08b1bc815299c2e218871 11240 ruby-activesupport-2.3_4.1.8-1+deb8u1_all.deb
 8d7e22b4f3d3a304f2aa421ab6bf79ea280d644479c6a57c2be6d7e0d6dd1539 268258 ruby-activerecord_4.1.8-1+deb8u1_all.deb
 47fd5d59a20e9e536609d1e35fd2fbae156b14f51b8e3dd3387dade47a93b830 48498 ruby-activemodel_4.1.8-1+deb8u1_all.deb
 9a93f76f2bc070639fb7f89dfac77a3d91360c35399e41bf839e24f71384922e 141166 ruby-actionview_4.1.8-1+deb8u1_all.deb
 fe39ad3834008dddd42fe550b1bcbdcc329f49da10762e818559e3aa331795f1 169578 ruby-actionpack_4.1.8-1+deb8u1_all.deb
 26b56ab03e644c807bdc66cb4efa1627723a91d4535f468c1166f624dce4431f 31464 ruby-actionmailer_4.1.8-1+deb8u1_all.deb
 c3a8b033179bf8f9146fb2225a96a17840b90b02c3cd9af3fd89c8d1d46b90a1 118956 ruby-railties_4.1.8-1+deb8u1_all.deb
 40fc6d7bac67be29f115babfe01f93a32d10da957bc5fe9c95aa12a3a4535aa3 16294 ruby-rails_4.1.8-1+deb8u1_all.deb
 928c336e7436ea034440181f353308021084fdb2b4d0c025368a5bad6e1bb012 11502 rails_4.1.8-1+deb8u1_all.deb
Files:
 ea91e053e81a3e2e6a41fa52a67c835c 2571 ruby optional rails_4.1.8-1+deb8u1.dsc
 0b118bca039a4beddbdafa128b7d85e6 3711426 ruby optional rails_4.1.8.orig.tar.gz
 025da188c2bbc56660835737289a9c63 96348 ruby optional rails_4.1.8-1+deb8u1.debian.tar.xz
 70dfd4b8d2291ef9d5a15a032e2e5956 207146 ruby optional ruby-activesupport_4.1.8-1+deb8u1_all.deb
 3c99bd0e7b5f175847ed7eb46ffa14b0 11240 ruby optional ruby-activesupport-2.3_4.1.8-1+deb8u1_all.deb
 82a4a5ebb0b4ba69d655f2f0d3426752 268258 ruby optional ruby-activerecord_4.1.8-1+deb8u1_all.deb
 4c1dfc594a0d954aa0fafe31dc9ca89e 48498 ruby optional ruby-activemodel_4.1.8-1+deb8u1_all.deb
 f80245223a1d181171ef20c92fe8ec46 141166 ruby optional ruby-actionview_4.1.8-1+deb8u1_all.deb
 868bed01c90cebaa69bf3e967f5db8c5 169578 ruby optional ruby-actionpack_4.1.8-1+deb8u1_all.deb
 50a341526247ec4a5be2958d116550c8 31464 ruby optional ruby-actionmailer_4.1.8-1+deb8u1_all.deb
 a75650b061b56d14ab66f5293b877be7 118956 ruby optional ruby-railties_4.1.8-1+deb8u1_all.deb
 351b14998e57d1cfd19cbfeec0ab665b 16294 ruby optional ruby-rails_4.1.8-1+deb8u1_all.deb
 b6acf788198595d4a053324775704cbf 11502 ruby optional rails_4.1.8-1+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWqmZNAAoJEPwNsbvNRgvecfMP/i0rEpEoOnS832yNHahBuPpT
UMVfdSO7NnvGpQYXoYczo/IRFVoyon3a3H2mw54ZszrGWi5tlzenKmJLYaCvSJeu
oip8Qr31SDaMuMz5/IAyVxOSCoEjpW/N+yj6B4bwTaTy8hWZKC2jx1KZ6zq5+9hj
bfST/a94ouqk9/O0rJie2DSEGUu32hZ8gLFbYYG/tA0bWTxedD6HCuVwfttqVjCw
hMV7wdi2iRIuJEtL2YPD1FPDj3oneZ4w0Dw3uvqe5YORe+wejpBA9PPjOa3ACZKn
9MVXohCo1AYfKSo2/cL7jDI1AuMXCDwYooZw6HjtDvpWOAz4ctYZScUsIjhS9LZk
te4x49UBx44s5WZwQMzmyDalQsEQUtspGFvcbjhdOjDL7Y+zM88IFxM6H8JiLcb/
68Rb+pl+JevC9QxAc413G6eNJqF9CRKxWOBIHg+9CNoo2nHkPezmd3c8KDUKBbJP
x9yJX/TuqcKNr84qTuV4BdI7yA4jxSrhedU0PjzILCzgg6UQqsInJBx9jndLh9wt
ndMxJ+GAeo96RUBBeBS7otSsyvKpjyO7InXr30aGlHoeDfxQmWRZozeUbqKA3kBj
jKLWY30ZybJXyTcIQvne7Uo7COtqJNXjhuP3oWc0/gSKIg4R4Qx7MGS9vRBpQbt7
mJ94B0QUKEfuKxpRJaru
=qMzv
-----END PGP SIGNATURE-----

Marked as fixed in versions rails/2:4.2.3-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 06 Feb 2016 10:12:06 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 04 Apr 2016 07:37:48 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:00:46 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started