SUSE-SU-2013:0707-1: moderate: Security update for Ruby on Rails

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Mon Apr 22 16:04:56 MDT 2013


   SUSE Security Update: Security update for Ruby on Rails
______________________________________________________________________________

Announcement ID:    SUSE-SU-2013:0707-1
Rating:             moderate
References:         #809932 #809935 #809940 
Cross-References:   CVE-2013-1854
Affected Products:
                    WebYaST 1.2
                    SUSE Studio Standard Edition 1.2
                    SUSE Studio Onsite 1.2
                    SUSE Studio Extension for System z 1.2
                    SUSE Linux Enterprise Software Development Kit 11 SP2
                    SUSE Cloud 1.0
______________________________________________________________________________

   An update that solves one vulnerability and has two fixes
   is now available. It includes one version update.

Description:


   The Ruby on Rails 2.3 stack received security fixes for
   following issues:

   ActionPack:

   * CVE-2013-1855: A XSS vulnerability in sanitize_css in
   Action Pack was fixed (bnc#809935).
   * CVE-2013-1857: A XSS Vulnerability in the sanitize
   helper of Ruby on Rails was fixed (bnc#809940).

   ActiveRecord:

   * CVE-2013-1854: A Symbol DoS vulnerability in Active
   Record was fixed (bnc#809932).

   ActiveSupport:

   * CVE-2013-1854: A Symbol DoS vulnerability in Active
   Record was fixed (bnc#809932).

   Security Issue reference:

   * CVE-2013-1854
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1854
   >


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - WebYaST 1.2:

      zypper in -t patch slewyst12-rubyrails-2_3-201304-7590

   - SUSE Studio Standard Edition 1.2:

      zypper in -t patch sleslms12-rubyrails-2_3-201304-7590

   - SUSE Studio Onsite 1.2:

      zypper in -t patch slestso12-rubyrails-2_3-201304-7590

   - SUSE Studio Extension for System z 1.2:

      zypper in -t patch slestso12-rubyrails-2_3-201304-7590

   - SUSE Linux Enterprise Software Development Kit 11 SP2:

      zypper in -t patch sdksp2-rubyrails-2_3-201304-7589

   - SUSE Cloud 1.0:

      zypper in -t patch sleclo10sp2-rubyrails-2_3-201304-7589

   To bring your system up-to-date, use "zypper patch".


Package List:

   - WebYaST 1.2 (i586 ia64 ppc64 s390x x86_64) [New Version: 2.3.17]:

      rubygem-actionpack-2_3-2.3.17-0.8.8.1
      rubygem-activerecord-2_3-2.3.17-0.8.8.1
      rubygem-activesupport-2_3-2.3.17-0.8.8.1

   - SUSE Studio Standard Edition 1.2 (x86_64) [New Version: 2.3.17]:

      rubygem-actionpack-2_3-2.3.17-0.8.8.1
      rubygem-activerecord-2_3-2.3.17-0.8.8.1
      rubygem-activesupport-2_3-2.3.17-0.8.8.1

   - SUSE Studio Onsite 1.2 (x86_64) [New Version: 2.3.17]:

      rubygem-actionpack-2_3-2.3.17-0.8.8.1
      rubygem-activerecord-2_3-2.3.17-0.8.8.1
      rubygem-activesupport-2_3-2.3.17-0.8.8.1

   - SUSE Studio Extension for System z 1.2 (s390x) [New Version: 2.3.17]:

      rubygem-actionpack-2_3-2.3.17-0.8.8.1
      rubygem-activerecord-2_3-2.3.17-0.8.8.1
      rubygem-activesupport-2_3-2.3.17-0.8.8.1

   - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 2.3.17]:

      rubygem-actionpack-2_3-2.3.17-0.11.1
      rubygem-activerecord-2_3-2.3.17-0.11.1
      rubygem-activesupport-2_3-2.3.17-0.11.1

   - SUSE Cloud 1.0 (x86_64) [New Version: 2.3.17]:

      rubygem-actionpack-2_3-2.3.17-0.11.1
      rubygem-activerecord-2_3-2.3.17-0.11.1
      rubygem-activesupport-2_3-2.3.17-0.11.1


References:

   http://support.novell.com/security/cve/CVE-2013-1854.html
   https://bugzilla.novell.com/809932
   https://bugzilla.novell.com/809935
   https://bugzilla.novell.com/809940
   http://download.novell.com/patch/finder/?keywords=087db4f44aa8af9e31e72ca7a4471ed7
   http://download.novell.com/patch/finder/?keywords=e752b41dd60e41af5879ea236b7914bf



More information about the sle-security-updates mailing list