1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 2613-1] rails security update

    From Thijs Kinkhorst@1:229/2 to All on Wed Jan 30 08:40:01 2013
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-2613-1 [email protected] http://www.debian.org/security/ Thijs Kinkhorst January 29, 2013 http://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : rails
    Vulnerability : insufficient input validation
    Problem type : remote
    Debian-specific: no
    CVE ID : CVE-2013-0333
    Debian Bug : 699226

    Lawrence Pit discovered that Ruby on Rails, a web development framenwork,
    is vulnerable to a flaw in the parsing of JSON to YAML. Using a specially crafted payload attackers can trick the backend into decoding a subset of
    YAML.

    The vulnerability has been addressed by removing the YAML backend and
    adding the OkJson backend.

    For the stable distribution (squeeze), this problem has been fixed in
    version 2.3.5-1.2+squeeze6.

    For the testing distribution (wheezy), this problem will be fixed soon.

    For the unstable distribution (sid), this problem has been fixed in
    version 2.3.14-6 of the ruby-activesupport-2.3 package.

    The 3.2 version of rails as found in Debian wheezy and sid is not
    affected by the problem.

    We recommend that you upgrade your rails packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.12 (GNU/Linux)

    iQEcBAEBAgAGBQJRCMynAAoJEFb2GnlAHawEZvsH/0sNi8g2d++J7xYFcFwFGLvW srX8HBAlp38NAgq6J4mLCuI/UWo46A+PvG/2D38rWmX55DxeridYcvmWf5xDlbwq wr8rlR6x0LpNyBqgneq3oobAfOuN6YrY0TQvdzIzzGG/5NS7/DahB6PaJdOMUFow N4GhIjVCUCBs6R/kQKLtoBp82JbQKgL7C5MO1i74OKeYrxSJ1PiPa4O5zuZDy3Xg rwWZBuTE6Y1Pf2ysyzAOcPvPCNLYKMy8UXcC2EOS89m3v2tuwUaI2n0RS1q4MagF TtKaEL8S9bkJEnfRADNbfodAKD1ll0Nptf/PSsKJjDy1IF00pjKW9AsfLTJAdK8=
    =XDO7
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)