SUSE-SU-2013:1036-1: Security update for SUSE Studio

Mon Jun 17 15:04:10 MDT 2013

   SUSE Security Update: Security update for SUSE Studio
______________________________________________________________________________

Announcement ID:    SUSE-SU-2013:1036-1
Rating:             low
References:         #803064 #803305 #803306 #803309 #804296 #804304 
                    #804305 #804308 #804309 #804310 #804311 #808277 
                    #810320 #813491 #813504 
Cross-References:   CVE-2012-6134 CVE-2013-0262 CVE-2013-0269
                    CVE-2013-0276 CVE-2013-1800 CVE-2013-1812
                    CVE-2013-1854 CVE-2013-1855 CVE-2013-1857

Affected Products:
                    SUSE Studio Onsite 1.3
______________________________________________________________________________

   An update that solves 9 vulnerabilities and has 6 fixes is
   now available. It includes one version update.

Description:

   This update provides SUSE Studio version 1.3.1, which
   includes  improvements, security fixes for gems studio
   packages and a few minor bug  fixes. The changes in detail
   are:

   * #813491: susestudio 1.3 requires -devel packages
   * #813504: susestudio build might require internet
   connection for gems bundling
   * #810320: security issues in action pack an active
   record
   * #810320: rubygem-activerecord*: Symbol DoS
   vulnerability in Active Record [CVE-2013-1854]
   * #810320: rubygem-actionpack*: XSS vulnerability in
   sanitize_css in Action Pack [CVE-2013-1855]
   * #810320: rubygem-actionpack*: XSS Vulnerability in
   the sanitize  helper of Ruby on Rails [CVE-2013-1857]
   * #804310: security flaws in crack [CVE-2013-1800]
   * #804304: ruby-openid security flaw [CVE-2013-1812]
   * #803309: Denial of Service and Unsafe Object Creation
   Vulnerability in JSON [CVE-2013-0269]
   * #803305: Circumvention of attr_protected
   [CVE-2013-0276]
   * #803064: security issue in rack [CVE-2013-0262]
   * #804308: omniauth-auth2 security flaw [CVE-2012-6134]
   * #804296: API builds change image_type if given
   * #808277: When updating onsite 1.3 services are not
   being restarted
   * #804309: omniauth-auth2 security flaw
   * #803306: Circumvention of attr_protected
   [CVE-2013-0276]
   * #804311: security flaw in crack
   * #804305: ruby-openid security flaw
   * #803064: security issue in rack.

   Security Issues:

   * CVE-2013-1854
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1854
   >
   * CVE-2013-1855
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1855
   >
   * CVE-2013-1857
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1857
   >
   * CVE-2013-1800
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1800
   >
   * CVE-2013-1812
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1812
   >
   * CVE-2013-0269
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0269
   >
   * CVE-2013-0276
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0276
   >
   * CVE-2013-0262
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0262
   >
   * CVE-2012-6134
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6134
   >
   * CVE-2013-0276
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0276
   >

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Studio Onsite 1.3:

      zypper in -t patch slestso13-susestudio-7721

   To bring your system up-to-date, use "zypper patch".

Package List:

   - SUSE Studio Onsite 1.3 (x86_64) [New Version: 1.3.1.0]:

      susestudio-1.3.1.0-0.5.2
      susestudio-bundled-packages-1.3.1.0-0.5.2
      susestudio-common-1.3.1.0-0.5.2
      susestudio-runner-1.3.1.0-0.5.2
      susestudio-sid-1.3.1.0-0.5.2
      susestudio-ui-server-1.3.1.0-0.5.2

References:

   http://support.novell.com/security/cve/CVE-2012-6134.html
   http://support.novell.com/security/cve/CVE-2013-0262.html
   http://support.novell.com/security/cve/CVE-2013-0269.html
   http://support.novell.com/security/cve/CVE-2013-0276.html
   http://support.novell.com/security/cve/CVE-2013-1800.html
   http://support.novell.com/security/cve/CVE-2013-1812.html
   http://support.novell.com/security/cve/CVE-2013-1854.html
   http://support.novell.com/security/cve/CVE-2013-1855.html
   http://support.novell.com/security/cve/CVE-2013-1857.html
   https://bugzilla.novell.com/803064
   https://bugzilla.novell.com/803305
   https://bugzilla.novell.com/803306
   https://bugzilla.novell.com/803309
   https://bugzilla.novell.com/804296
   https://bugzilla.novell.com/804304
   https://bugzilla.novell.com/804305
   https://bugzilla.novell.com/804308
   https://bugzilla.novell.com/804309
   https://bugzilla.novell.com/804310
   https://bugzilla.novell.com/804311
   https://bugzilla.novell.com/808277
   https://bugzilla.novell.com/810320
   https://bugzilla.novell.com/813491
   https://bugzilla.novell.com/813504
   http://download.novell.com/patch/finder/?keywords=2b61def21196acb86a98b3cd6b164de8