SUSE-SU-2013:0707-2: moderate: Security update for Ruby On Rails 3.2 stack

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Wed May 8 15:04:37 MDT 2013 

   SUSE Security Update: Security update for Ruby On Rails 3.2 stack
______________________________________________________________________________

Announcement ID:    SUSE-SU-2013:0707-2
Rating:             moderate
References:         #809932 #809935 #809940 
Cross-References:   CVE-2013-1854
Affected Products:
                    WebYaST 1.3
                    SUSE Studio Onsite 1.3
                    SUSE Linux Enterprise Software Development Kit 11 SP2
                    SUSE Lifecycle Management Server 1.3
______________________________________________________________________________

   An update that solves one vulnerability and has two fixes
   is now available. It includes two new package versions.

Description:


   The Ruby on Rails 3.2 stack has been updated to 3.2.12 to
   fix various  security issues and bugs:

   * rubygem-actionmailer-3_2: has been updated to 3.2.12.
   * rubygem-actionpack-3_2: has been updated to 3.2.12.
   * rubygem-activeresource-3_2: has been updated to
   3.2.12.
   * rubygem-activesupport-3_2: has been updated to 3.2.12.
   * rubygem-railties-3_2: has been updated to 3.2.12.
   * rubygem-rails-3_2: has been updated to 3.2.12.
   * rubygem-activemodel-3_2: has been updated to 3.2.12,
   received a security fix for CVE-2013-0276: Fix issue with
   attr_protected where malformed input could circumvent
   protection
   *

   rubygem-activerecord-3_2: has been updated to 3.2.12,
   received a security fix for CVE-2013-0276:

   o

   Quote numeric values being compared to
   non-numeric columns. Otherwise, in some database, the
   string column values will be coerced to a numeric allowing
   0, 0.0 or false to match any string starting with a
   non-digit.

   Read more about this problem here
   <http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-1
   2-3-1-11-and-2-3-17-have-been-released/>  .

   * A XSS in sanitize_css in Action Pack has been fixed
   (CVE-2013-1855)
   * A XSS Vulnerability in the sanitize helper of Ruby on
   Rails Action Pack has been fixed (CVE-2013-1857)
   * A Symbol DoS vulnerability in Active Record has been
   fixed. (CVE-2013-1854)
   * Also rubygem-rack-1_4 has been updated to 1.4.5
   (bnc#802794 bnc#802795) o Fix CVE-2013-0263, timing attack
   against Rack::Session::Cookie o Fix CVE-2013-0262, symlink
   path traversal in Rack::File o update to 1.4.4 (bnc#798452)
   + [SEC] Rack::Auth::AbstractRequest no
   longer symbolizes arbitrary strings (CVE-2013-0184) o
   changes from 1.4.3
   + Security: Prevent unbounded reads in
   large multipart boundaries (CVE-2013-0183) o changes from
   1.4.2 (CVE-2012-6109)
   + Add warnings when users do not provide a
   session secret
   + Fix parsing performance for unquoted
   filenames
   + Updated URI backports
   + Fix URI backport version matching, and
   silence constant warnings
   + Correct parameter parsing with empty
   values
   + Correct rackup '-I' flag, to allow
   multiple uses
   + Correct rackup pidfile handling
   + Report rackup line numbers correctly
   + Fix request loops caused by non-stale
   nonces with time limits
   + Fix reloader on Windows
   + Prevent infinite recursions from
   Response#to_ary
   + Various middleware better conforms to the
   body close specification
   + Updated language for the body close
   specification
   + Additional notes regarding ECMA escape
   compatibility issues
   + Fix the parsing of multiple ranges in
   range headers
   + Prevent errors from empty parameter keys
   + Added PATCH verb to Rack::Request
   + Various documentation updates
   + Fix session merge semantics (fixes
   rack-test)
   + Rack::Static :index can now handle
   multiple directories
   + All tests now utilize Rack::Lint (special
   thanks to Lars Gierth)
   + Rack::File cache_control parameter is now
   deprecated, and removed by 1.5
   + Correct Rack::Directory script name
   escaping
   + Rack::Static supports header rules for
   sophisticated configurations
   + Multipart parsing now works without a
   Content-Length header
   + New logos courtesy of Zachary Scott!
   + Rack::BodyProxy now explicitly defines
   #each, useful for C extensions
   + Cookies that are not URI escaped no
   longer cause exceptions

   Security Issues:

   * CVE-2013-1854
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1854
   >


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - WebYaST 1.3:

      zypper in -t patch slewyst13-rubyrails-3_2-201304-7617

   - SUSE Studio Onsite 1.3:

      zypper in -t patch slestso13-rubyrails-3_2-201304-7617

   - SUSE Linux Enterprise Software Development Kit 11 SP2:

      zypper in -t patch sdksp2-rubyrails-3_2-201304-7617

   - SUSE Lifecycle Management Server 1.3:

      zypper in -t patch sleslms13-rubyrails-3_2-201304-7617

   To bring your system up-to-date, use "zypper patch".


Package List:

   - WebYaST 1.3 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.4.5 and 3.2.12]:

      rubygem-actionmailer-3_2-3.2.12-0.5.9
      rubygem-actionpack-3_2-3.2.12-0.7.1
      rubygem-activemodel-3_2-3.2.12-0.5.8
      rubygem-activerecord-3_2-3.2.12-0.7.1
      rubygem-activeresource-3_2-3.2.12-0.5.8
      rubygem-activesupport-3_2-3.2.12-0.5.8
      rubygem-rack-1_4-1.4.5-0.5.8
      rubygem-rails-3_2-3.2.12-0.5.10
      rubygem-railties-3_2-3.2.12-0.7.9

   - SUSE Studio Onsite 1.3 (x86_64) [New Version: 1.4.5 and 3.2.12]:

      rubygem-actionmailer-3_2-3.2.12-0.5.9
      rubygem-actionpack-3_2-3.2.12-0.7.1
      rubygem-activemodel-3_2-3.2.12-0.5.8
      rubygem-activerecord-3_2-3.2.12-0.7.1
      rubygem-activeresource-3_2-3.2.12-0.5.8
      rubygem-activesupport-3_2-3.2.12-0.5.8
      rubygem-rack-1_4-1.4.5-0.5.8
      rubygem-rails-3_2-3.2.12-0.5.10
      rubygem-railties-3_2-3.2.12-0.7.9

   - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 1.4.5 and 3.2.12]:

      rubygem-activesupport-3_2-3.2.12-0.5.8
      rubygem-rack-1_4-1.4.5-0.5.8

   - SUSE Lifecycle Management Server 1.3 (x86_64) [New Version: 1.4.5 and 3.2.12]:

      rubygem-actionmailer-3_2-3.2.12-0.5.9
      rubygem-actionpack-3_2-3.2.12-0.7.1
      rubygem-activemodel-3_2-3.2.12-0.5.8
      rubygem-activerecord-3_2-3.2.12-0.7.1
      rubygem-activeresource-3_2-3.2.12-0.5.8
      rubygem-activesupport-3_2-3.2.12-0.5.8
      rubygem-rack-1_4-1.4.5-0.5.8
      rubygem-rails-3_2-3.2.12-0.5.10
      rubygem-railties-3_2-3.2.12-0.7.9


References:

   http://support.novell.com/security/cve/CVE-2013-1854.html
   https://bugzilla.novell.com/809932
   https://bugzilla.novell.com/809935
   https://bugzilla.novell.com/809940
   http://download.novell.com/patch/finder/?keywords=fbe3a3e7096c7d4e58117c534e78345a

More information about the sle-security-updates mailing list