12044 – ruby-actionpack new security issues CVE-2013-4491, CVE-2013-641[457], CVE-2014-008[0-2], CVE-2014-0130

Bug 12044 - ruby-actionpack new security issues CVE-2013-4491, CVE-2013-641[457], CVE-2014-008[0-2], CVE-2014-0130

Summary: ruby-actionpack new security issues CVE-2013-4491, CVE-2013-641[457], CVE-201...

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	3
Hardware:	i586 Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	Funda Wang
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/577574/
Whiteboard:
Keywords:

Depends on:	12896 13339
Blocks:	13660
	Show dependency tree / graph

Reported:	2013-12-18 20:04 CET by David Walser
Modified:	2014-08-20 23:26 CEST (History)
CC List:	1 user (show)

See Also:
Source RPM:	ruby-actionpack
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2013-12-18 20:04:22 CET

OpenSuSE has issued an advisory today (December 18):
http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html

The issues are fixed upstream in 3.2.16 and 4.0.2.

Reproducible: 

Steps to Reproduce:

David Walser 2013-12-18 20:04:30 CET

Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2013-12-18 20:13:16 CET

Also http://lwn.net/Vulnerabilities/577572/ for CVE-2013-6415.

URL: (none) => http://lwn.net/Vulnerabilities/577574/

David Walser 2013-12-20 23:25:48 CET

Blocks: (none) => 11726

Comment 2 David Walser 2013-12-30 02:27:17 CET

Fixed by updating to 4.0.2 in Cauldron, by Pascal Terjan.

According to the changelog messages, ruby-activemodel may be affected too.

Whiteboard: MGA3TOO => (none)
Version: Cauldron => 3
Blocks: 11726 => (none)

Comment 3 David Walser 2013-12-30 02:30:31 CET

(In reply to David Walser from comment #2)
> According to the changelog messages, ruby-activemodel may be affected too.

Also ruby-activerecord, ruby-actionmailer, ruby-railties, ruby-activesupport, and ruby-rails.  They have also been updated to 4.0.2 in Cauldron.

CC: (none) => pterjan

Comment 4 David Walser 2014-01-03 18:30:38 CET

CVE-2013-0155 was fixed in 3.2.11 or 3.2.12, and we have 3.2.13.

Upstream advisory for the other issues:
http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/

Summary: ruby-actionpack new security issues CVE-2013-0155, CVE-2013-4491, CVE-2013-641[457] => ruby-actionpack new security issues CVE-2013-4491, CVE-2013-641[457]

David Walser 2014-02-27 14:26:57 CET

Depends on: (none) => 12896

Comment 5 David Walser 2014-02-27 14:39:08 CET

OpenSuSE has issued an advisory on February 26:
http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html

CVE-2014-0080 and CVE-2014-0081 affect Mageia 4 and Cauldron.
We'll use Bug 12896 for the issues in Mageia 4 and Cauldron.

CVE-2014-0081 and CVE-2014-0082 affect Mageia 3.
We'll use this bug for all of the issues in Mageia 3.

The issues are fixed upstream in 3.2.17 and 4.0.3.

Here is the upstream announcement:
http://weblog.rubyonrails.org/2014/2/18/Rails_3_2_17_4_0_3_and_4_1_0_beta2_have_been_released/

Summary: ruby-actionpack new security issues CVE-2013-4491, CVE-2013-641[457] => ruby-actionpack new security issues CVE-2013-4491, CVE-2013-641[457], CVE-2014-008[0-2]

Comment 6 David Walser 2014-03-11 17:33:11 CET

LWN reference for CVE-2014-008[0-2]:
http://lwn.net/Vulnerabilities/590263/

Comment 7 David Walser 2014-05-07 21:13:14 CEST

Another vulnerability in ruby-actionpack was fixed in 3.2.18 and 4.0.5:
http://openwall.com/lists/oss-security/2014/05/06/14
http://weblog.rubyonrails.org/2014/5/6/Rails_3_2_18_4_0_5_and_4_1_1_have_been_released/

Summary: ruby-actionpack new security issues CVE-2013-4491, CVE-2013-641[457], CVE-2014-008[0-2] => ruby-actionpack new security issues CVE-2013-4491, CVE-2013-641[457], CVE-2014-008[0-2], CVE-2014-0130

David Walser 2014-05-07 21:15:38 CEST

Depends on: (none) => 13339

Comment 8 David Walser 2014-05-16 18:28:07 CEST

(In reply to David Walser from comment #7)
> Another vulnerability in ruby-actionpack was fixed in 3.2.18 and 4.0.5:
> http://openwall.com/lists/oss-security/2014/05/06/14
> http://weblog.rubyonrails.org/2014/5/6/
> Rails_3_2_18_4_0_5_and_4_1_1_have_been_released/

Debian has issued an advisory for this today (May 16):
https://lists.debian.org/debian-security-announce/2014/msg00110.html

from http://lwn.net/Vulnerabilities/599072/

David Walser 2014-07-02 21:45:45 CEST

Blocks: (none) => 13660

Comment 9 David Walser 2014-08-20 23:26:46 CEST

Ruby on Rails has been dropped in Cauldron and we are unable to support it.

Status: NEW => RESOLVED
Resolution: (none) => WONTFIX

Note You need to log in before you can comment on or make changes to this bug.