OpenSuSE has issued an advisory today (December 18): http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html The issues are fixed upstream in 3.2.16 and 4.0.2. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Also http://lwn.net/Vulnerabilities/577572/ for CVE-2013-6415.
URL: (none) => http://lwn.net/Vulnerabilities/577574/
Blocks: (none) => 11726
Fixed by updating to 4.0.2 in Cauldron, by Pascal Terjan. According to the changelog messages, ruby-activemodel may be affected too.
Whiteboard: MGA3TOO => (none)Version: Cauldron => 3Blocks: 11726 => (none)
(In reply to David Walser from comment #2) > According to the changelog messages, ruby-activemodel may be affected too. Also ruby-activerecord, ruby-actionmailer, ruby-railties, ruby-activesupport, and ruby-rails. They have also been updated to 4.0.2 in Cauldron.
CC: (none) => pterjan
CVE-2013-0155 was fixed in 3.2.11 or 3.2.12, and we have 3.2.13. Upstream advisory for the other issues: http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/
Summary: ruby-actionpack new security issues CVE-2013-0155, CVE-2013-4491, CVE-2013-641[457] => ruby-actionpack new security issues CVE-2013-4491, CVE-2013-641[457]
Depends on: (none) => 12896
OpenSuSE has issued an advisory on February 26: http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html CVE-2014-0080 and CVE-2014-0081 affect Mageia 4 and Cauldron. We'll use Bug 12896 for the issues in Mageia 4 and Cauldron. CVE-2014-0081 and CVE-2014-0082 affect Mageia 3. We'll use this bug for all of the issues in Mageia 3. The issues are fixed upstream in 3.2.17 and 4.0.3. Here is the upstream announcement: http://weblog.rubyonrails.org/2014/2/18/Rails_3_2_17_4_0_3_and_4_1_0_beta2_have_been_released/
Summary: ruby-actionpack new security issues CVE-2013-4491, CVE-2013-641[457] => ruby-actionpack new security issues CVE-2013-4491, CVE-2013-641[457], CVE-2014-008[0-2]
LWN reference for CVE-2014-008[0-2]: http://lwn.net/Vulnerabilities/590263/
Another vulnerability in ruby-actionpack was fixed in 3.2.18 and 4.0.5: http://openwall.com/lists/oss-security/2014/05/06/14 http://weblog.rubyonrails.org/2014/5/6/Rails_3_2_18_4_0_5_and_4_1_1_have_been_released/
Summary: ruby-actionpack new security issues CVE-2013-4491, CVE-2013-641[457], CVE-2014-008[0-2] => ruby-actionpack new security issues CVE-2013-4491, CVE-2013-641[457], CVE-2014-008[0-2], CVE-2014-0130
Depends on: (none) => 13339
(In reply to David Walser from comment #7) > Another vulnerability in ruby-actionpack was fixed in 3.2.18 and 4.0.5: > http://openwall.com/lists/oss-security/2014/05/06/14 > http://weblog.rubyonrails.org/2014/5/6/ > Rails_3_2_18_4_0_5_and_4_1_1_have_been_released/ Debian has issued an advisory for this today (May 16): https://lists.debian.org/debian-security-announce/2014/msg00110.html from http://lwn.net/Vulnerabilities/599072/
Blocks: (none) => 13660
Ruby on Rails has been dropped in Cauldron and we are unable to support it.
Status: NEW => RESOLVEDResolution: (none) => WONTFIX