| Summary: | ruby-actionpack new security issues CVE-2013-4491, CVE-2013-641[457], CVE-2014-008[0-2], CVE-2014-0130 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | Funda Wang <fundawang> |
| Status: | RESOLVED WONTFIX | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | pterjan |
| Version: | 3 | ||
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/577574/ | ||
| Whiteboard: | |||
| Source RPM: | ruby-actionpack | CVE: | |
| Status comment: | |||
| Bug Depends on: | 12896, 13339 | ||
| Bug Blocks: | 13660 | ||
|
Description
David Walser
2013-12-18 20:04:22 CET
David Walser
2013-12-18 20:04:30 CET
Whiteboard:
(none) =>
MGA3TOO Also http://lwn.net/Vulnerabilities/577572/ for CVE-2013-6415. URL:
(none) =>
http://lwn.net/Vulnerabilities/577574/
David Walser
2013-12-20 23:25:48 CET
Blocks:
(none) =>
11726 Fixed by updating to 4.0.2 in Cauldron, by Pascal Terjan. According to the changelog messages, ruby-activemodel may be affected too. Whiteboard:
MGA3TOO =>
(none) (In reply to David Walser from comment #2) > According to the changelog messages, ruby-activemodel may be affected too. Also ruby-activerecord, ruby-actionmailer, ruby-railties, ruby-activesupport, and ruby-rails. They have also been updated to 4.0.2 in Cauldron. CC:
(none) =>
pterjan CVE-2013-0155 was fixed in 3.2.11 or 3.2.12, and we have 3.2.13. Upstream advisory for the other issues: http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/ Summary:
ruby-actionpack new security issues CVE-2013-0155, CVE-2013-4491, CVE-2013-641[457] =>
ruby-actionpack new security issues CVE-2013-4491, CVE-2013-641[457]
David Walser
2014-02-27 14:26:57 CET
Depends on:
(none) =>
12896 OpenSuSE has issued an advisory on February 26: http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html CVE-2014-0080 and CVE-2014-0081 affect Mageia 4 and Cauldron. We'll use Bug 12896 for the issues in Mageia 4 and Cauldron. CVE-2014-0081 and CVE-2014-0082 affect Mageia 3. We'll use this bug for all of the issues in Mageia 3. The issues are fixed upstream in 3.2.17 and 4.0.3. Here is the upstream announcement: http://weblog.rubyonrails.org/2014/2/18/Rails_3_2_17_4_0_3_and_4_1_0_beta2_have_been_released/ Summary:
ruby-actionpack new security issues CVE-2013-4491, CVE-2013-641[457] =>
ruby-actionpack new security issues CVE-2013-4491, CVE-2013-641[457], CVE-2014-008[0-2] LWN reference for CVE-2014-008[0-2]: http://lwn.net/Vulnerabilities/590263/ Another vulnerability in ruby-actionpack was fixed in 3.2.18 and 4.0.5: http://openwall.com/lists/oss-security/2014/05/06/14 http://weblog.rubyonrails.org/2014/5/6/Rails_3_2_18_4_0_5_and_4_1_1_have_been_released/ Summary:
ruby-actionpack new security issues CVE-2013-4491, CVE-2013-641[457], CVE-2014-008[0-2] =>
ruby-actionpack new security issues CVE-2013-4491, CVE-2013-641[457], CVE-2014-008[0-2], CVE-2014-0130
David Walser
2014-05-07 21:15:38 CEST
Depends on:
(none) =>
13339 (In reply to David Walser from comment #7) > Another vulnerability in ruby-actionpack was fixed in 3.2.18 and 4.0.5: > http://openwall.com/lists/oss-security/2014/05/06/14 > http://weblog.rubyonrails.org/2014/5/6/ > Rails_3_2_18_4_0_5_and_4_1_1_have_been_released/ Debian has issued an advisory for this today (May 16): https://lists.debian.org/debian-security-announce/2014/msg00110.html from http://lwn.net/Vulnerabilities/599072/
David Walser
2014-07-02 21:45:45 CEST
Blocks:
(none) =>
13660 Ruby on Rails has been dropped in Cauldron and we are unable to support it. Status:
NEW =>
RESOLVED |