I don't know much about the ruby packages or gems, but I recently realized our package naming is different than Fedora, so I had been ignoring advisories for packages that we actually do have. I went back and found the ones I had overlooked. Our SRPM names for these packages are in the RPM field for this bug. Here are the missed advisories: http://lwn.net/Vulnerabilities/495491/ http://lwn.net/Vulnerabilities/475787/ http://lwn.net/Vulnerabilities/487174/ http://lwn.net/Vulnerabilities/502246/ http://lwn.net/Vulnerabilities/502245/
Also, we do have one package using Fedora's naming scheme, which doesn't match ours: rubygem-passenger. That one should probably be renamed to ruby-passenger to fit with the rest of ours.
CC: (none) => shikamaru
CC: (none) => shlomif
CC: (none) => johnny
Whiteboard: (none) => MGA2TOO, MGA1TOO
ruby-rails is also affected by new security issues. There are updated versions of rails 3.x with fixes [1], but I don't see any updates to 2.3.x available. According to secunia, 2.3.x is vulnerable [2]. [1] - http://weblog.rubyonrails.org/ [2] - http://secunia.com/advisories/49457/
Source RPM: ruby-RubyGems, ruby-rack, ruby-actionpack, ruby-activerecord => ruby-RubyGems, ruby-rack, ruby-actionpack, ruby-activerecord, ruby-rails
More Fedora advisories: http://lists.fedoraproject.org/pipermail/package-announce/2012-June/083133.html http://lists.fedoraproject.org/pipermail/package-announce/2012-June/083139.html
Some more from earlier this year: http://lwn.net/Vulnerabilities/477430/ http://lwn.net/Vulnerabilities/475787/
Hi David, sorry for the very late response: I am reluctant to update the Ruby Gem packages in Mageia 2, because it was very time-consuming to do that for Mageia Linux Cauldron and involved chasing a lot of dependencies. I don't want to go through this dependency hell again. So I don't know what to do about these packages. Regards, -- Shlomi Fish
Hopefully there are patches for some of these things which will avoid chasing dependencies. There's a lot of packages involved so it will take some time. I'm going to put out another general call for help with security issues soon, but if nobody else wants to help, there's only so much we can do.
New one today for ruby-actionpack: http://lwn.net/Vulnerabilities/510679/
Older ones for actionpack and activesupport: http://lwn.net/Vulnerabilities/457934/ http://lwn.net/Vulnerabilities/457933/
More older ones for actionpack and activesupport: http://lwn.net/Vulnerabilities/431840/ http://lwn.net/Vulnerabilities/449902/ http://lwn.net/Vulnerabilities/366096/
Older one for ruby-rails: http://lwn.net/Vulnerabilities/457759/
New one today for rubygem-actionpack: http://lwn.net/Vulnerabilities/513190/
CC: (none) => fundawang
CC: (none) => oe
ok, I will have a look, thanks a ton for the report
Assignee: bugsquad => shikamaru
Status: NEW => ASSIGNED
New one today for ruby-rails: http://lwn.net/Vulnerabilities/531753/
Source RPM: ruby-RubyGems, ruby-rack, ruby-actionpack, ruby-activerecord, ruby-rails => ruby-RubyGems, ruby-rack, ruby-actionpack, ruby-activerecord, ruby-rails, ruby-activesupport
CVE-2012-5664 for ruby-activerecord is fixed in Cauldron by Funda.
Another new one for ruby-rails from upstream: https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion Sounds pretty serious, according to this article: http://arstechnica.com/security/2013/01/extremely-crtical-ruby-on-rails-bug-threatens-more-than-200000-sites/ We need to update to 2.3.15 in Mageia 2 and 3.2.11 in Cauldron.
LWN reference for new rails vulnerability (since Debian issued an advisory): http://lwn.net/Vulnerabilities/532292/
New one today for ruby-activerecord: http://lwn.net/Vulnerabilities/532670/
New one today for ruby-rails or ruby-activerecord (not sure): http://lwn.net/Vulnerabilities/533067/
New one today for ruby-rack: http://lwn.net/Vulnerabilities/534632/
New one today for ruby-activesupport: http://lwn.net/Vulnerabilities/534956/
Depends on: (none) => 9050
ruby-rack now has Bug 9050. ruby-actionpack-2.3.15-1.mga2 and ruby-activesupport-2.3.15-1.mga2 are in updates_testing (from Funda), but no bug has been filed to send them to QA. Nothing has been done for ruby-RubyGems, ruby-rails, or ruby-activerecord that I'm aware of.
I think Funda has fixed all of these now except for ruby-RubyGems, which had CVEs in the original report here: http://lwn.net/Vulnerabilities/495491/ That has these CVEs: CVE-2012-2125 CVE-2012-2126 which are fixed upstream in 1.8.23, so Cauldron is OK. Fedora has a patch for 1.7.2 (which we have in Mageia 2) here: http://pkgs.fedoraproject.org/cgit/rubygems.git/plain/rubygems-1.x.x-ssl-connection-don_t-revert.patch?h=f15&id=47407a7661abf4a8d632fbc5150a7e65d9ef69a6
Funda has also built updates for these in Mageia 2, but I don't know why: ruby-json ruby-activeresource ruby-actionmailer as they are not listed in this bug. Hopefully Funda can tell us why those were updated so that we can have an advisory for them and send them to QA.
Setting version to 2 as these should be fixed in Cauldron now. Removing Mageia 1 from the whiteboard due to EOL.
Version: Cauldron => 2Whiteboard: MGA2TOO, MGA1TOO => (none)
Depends on: (none) => 9065
Bug 9065 filed for ruby-RubyGems. Removing that from the RPM Package list for this bug. ruby-json has nothing to do with the issues in this bug, so Funda will need to file a new bug for that one to push it to QA. All of the other packages have been upgraded to version 2.3.17, so we can use this bug for those.
Source RPM: ruby-RubyGems, ruby-rack, ruby-actionpack, ruby-activerecord, ruby-rails, ruby-activesupport => ruby-rack, ruby-actionpack, ruby-activerecord, ruby-rails, ruby-activesupport
Removing ruby-rack from the RPM Package list too as that's in Bug 9050.
Source RPM: ruby-rack, ruby-actionpack, ruby-activerecord, ruby-rails, ruby-activesupport => ruby-actionpack, ruby-activerecord, ruby-rails, ruby-activesupport
For http://lwn.net/Vulnerabilities/487174/, it looks like: - CVE-2012-1098: 2.3.x not vulnerable, only 3.x is - CVE-2012-1099: Fixed upstream in 2.3.14, which we already have in Mageia 2. For http://lwn.net/Vulnerabilities/502246/, we have: - CVE-2012-2660: vulnerable, fixed after 2.3.14 For http://lwn.net/Vulnerabilities/502245/, we have: - CVE-2012-2661: Not clear if it was fixed before or after 2.3.14 For http://lwn.net/Vulnerabilities/477430/, we have: - CVE-2011-4319: appears to only affect 3.x For http://lwn.net/Vulnerabilities/513190/, we have: - CVE-2012-3463: 2.3.x not vulnerable, only 3.x is - CVE-2012-3464: vulnerable, fixed after 2.3.14 - CVE-2012-3465: vulnerable, fixed after 2.3.14 For http://lwn.net/Vulnerabilities/431840/, we have: - CVE-2011-0446,CVE-2011-0447: not vulnerable, fixed in 2.3.11 For http://lwn.net/Vulnerabilities/449902/, we have: - CVE-2011-2197: not vulnerable, fixed in 2.3.12 For http://lwn.net/Vulnerabilities/366096/, we have: - CVE-2009-4214: not vulnerable, fixed in 2.3.5 For http://lwn.net/Vulnerabilities/510679/, we have: - CVE-2012-3424: 2.3.x not vulnerable, only 3.x is For http://lwn.net/Vulnerabilities/457934/, we have: - CVE-2011-2932: not vulnerable, fixed in 2.3.13 For http://lwn.net/Vulnerabilities/457933/, we have: - CVE-2011-2929: 2.3.x not vulnerable, only 3.x is For http://lwn.net/Vulnerabilities/457759/, we have: - CVE-2011-2930,CVE-2011-2931,CVE-2011-3186: not vulnerable, fixed in 2.3.13 For http://lwn.net/Vulnerabilities/531753/, we have: - CVE-2012-5664: vulnerable, fixed after 2.3.14 (now CVE-2012-649[67]) For http://lwn.net/Vulnerabilities/532670/, we have: - CVE-2012-6496: part of CVE-2012-5664 above For http://lwn.net/Vulnerabilities/533067/, we have: - CVE-2013-0155: 2.3.x not vulnerable, only 3.x is (Debian did fix this in 2.3.5, but needed no action for 2.3.14) For http://lwn.net/Vulnerabilities/532292/, we have: - CVE-2013-0156: vulnerable, fixed in 2.3.15 For http://lwn.net/Vulnerabilities/534956/, we have: - CVE-2013-0333: vulnerable, fixed in 2.3.16
New one today for ruby-rails: http://lwn.net/Vulnerabilities/537752/ This brings us: - CVE-2013-0276 CVE-2013-0277: vulnerable, fixed in 2.3.17
Advisory references. CVE-2012-2660,CVE-2012-2694,CVE-2012-2695 (can't find an LWN reference for 269x) http://lists.opensuse.org/opensuse-updates/2012-08/msg00020.html CVE-2012-2661 (?) http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html CVE-2012-2695,CVE-2012-5664,CVE-2013-0155,CVE-2013-0156,CVE-2013-0333 http://lists.opensuse.org/opensuse-updates/2013-02/msg00032.html http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/ http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/ CVE-2012-3464 CVE-2012-3465 http://lists.opensuse.org/opensuse-updates/2012-09/msg00083.html CVE-2012-5664 = CVE-2012-6496,CVE-2012-6497 http://www.debian.org/security/2013/dsa-2597 http://weblog.rubyonrails.org/2013/1/2/Rails-3-2-10--3-1-9--and-3-0-18-have-been-released/ CVE-2013-0276,CVE-2013-0277 http://www.debian.org/security/2013/dsa-2620 http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/ That last upstream advisory also mentions CVE-2013-0269 for ruby-json, so we can include that with the rest of these.
Source RPM: ruby-actionpack, ruby-activerecord, ruby-rails, ruby-activesupport => ruby-actionpack, ruby-activerecord, ruby-rails, ruby-activesupport, ruby-json
Nevermind, Funda has filed Bug 9048 for ruby-json.
Depends on: (none) => 9048Source RPM: ruby-actionpack, ruby-activerecord, ruby-rails, ruby-activesupport, ruby-json => ruby-actionpack, ruby-activerecord, ruby-rails, ruby-activesupport
Assigning to QA. Advisory: ======================== Updated ruby-rails packages fix security vulnerabilities: actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "[nil]" values (CVE-2012-2660). The Active Record component in Ruby on Rails does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage unintended recursion (CVE-2012-2661). Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character (CVE-2012-3464). Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb in the strip_tags helper in Ruby on Rails allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup (CVE-2012-3465). SQL injection vulnerability in the Active Record component in Ruby on Rails allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls (CVE-2012-6496). active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion (CVE-2013-0156). lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding (CVE-2013-0333). ActiveRecord in Ruby on Rails 2.3.x before 2.3.17 allows remote attackers to bypass the attr_protected protection mechanism and modify protected model attributes via a crafted request (CVE-2013-0276). Active Record in Ruby on Rails 2.3.x before 2.3.17 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML (CVE-2013-0277). The ruby-rails, ruby-actionmailer, ruby-actionpack, ruby-activerecord, ruby-activeresource, and ruby-activesupport packages have been upgraded to version 2.3.17 to fix these issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2660 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2661 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3464 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3465 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6496 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0156 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0333 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0276 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0277 http://weblog.rubyonrails.org/2013/1/2/Rails-3-2-10--3-1-9--and-3-0-18-have-been-released/ http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/ http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/ http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/ http://lists.opensuse.org/opensuse-updates/2012-08/msg00020.html http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html http://lists.opensuse.org/opensuse-updates/2013-02/msg00032.html http://lists.opensuse.org/opensuse-updates/2012-09/msg00083.html http://www.debian.org/security/2013/dsa-2597 http://www.debian.org/security/2013/dsa-2620 ======================== Updated packages in core/updates_testing: ======================== ruby-actionmailer-2.3.17-1.mga2 ruby-actionmailer-doc-2.3.17-1.mga2 ruby-actionpack-2.3.17-1.mga2 ruby-actionpack-doc-2.3.17-1.mga2 ruby-activerecord-2.3.17-1.mga2 ruby-activerecord-doc-2.3.17-1.mga2 ruby-activeresource-2.3.17-1.mga2 ruby-activeresource-doc-2.3.17-1.mga2 ruby-activesupport-2.3.17-1.mga2 ruby-activesupport-doc-2.3.17-1.mga2 ruby-rails-2.3.17-1.mga2 ruby-rails-devel-2.3.17-1.mga2 ruby-rails-doc-2.3.17-1.mga2 from SRPMS: ruby-actionmailer-2.3.17-1.mga2.src.rpm ruby-actionpack-2.3.17-1.mga2.src.rpm ruby-activerecord-2.3.17-1.mga2.src.rpm ruby-activeresource-2.3.17-1.mga2.src.rpm ruby-activesupport-2.3.17-1.mga2.src.rpm ruby-rails-2.3.17-1.mga2.src.rpm
Assignee: shikamaru => qa-bugsSeverity: normal => critical
Summary: ruby gem packages possibly contain security issues => ruby-rails and associated gem packages contain security issues
Does chiliproject need updating too? See https://bugs.mageia.org/show_bug.cgi?id=2638#c24
$ urpmq --whatrequires ruby-rails | sort -u chiliproject mageia-maintainers-database redmine rubygem-passenger ruby-rails ruby-rails-devel ruby-rails-doc teambox Confirmed chiliproject, redmine and mageia-maintainers-database have strict versioned requires on at least rails==2.3.14 so will also probably need a rebuild.
Whiteboard: (none) => feedback
Ping shikamaru as he/she is the maintainer of chiliproject.
Remy could you please see previous comments. Thanks
The problem is, chiliproject and redmine does not build in cauldron :( So if we push updates to 2, then it will be impossible upgrading 2 -> 3.
Can the ruby packages be patched for the CVE's so they keep the same version? That would prevent the version bump which is causing the problem at the moment.
Depends on: (none) => 9227
Hello, Chiliproject can be dropped, as well as teambox and rubygem-passenger. For Redmine I remember seeing a rails 3 branch but it might be experimental. In general, I have difficulties in packaging rails 3 apps due to the use of bundler, I donât know how to handle Gemfile and Gemfile.lock files. I tried to fix it when chiliproject got updated but itâs still in a broken state from the day it was updated to 2.0. Rubygem-passenger does not respect our policy, and upstream uses its own patched libboost. It shouldnât have been imported in the first place. Teambox should be dropped because itâs not open-source anymore. v4 isnât available, v3 should work with rails3 but Iâm not sure it is still maintained see http://help.teambox.com/forums/86927-ideas-and-suggestions/suggestions/2566661-update-your-github-repo-with-teambox-4-code- (http://teambox.com/open-source returns err404) I donât know much about mageia-maintdb Regards,
Assigning Funda until this is ready. Please reassign to QA when you've had a chance to take a look. Thanks :)
Assignee: qa-bugs => fundawangWhiteboard: feedback => (none)
CC: (none) => qa-bugs
Funda reported on the mageia-dev list that there's now also CVE-2013-185[4-7] fixed in 2.3.18.
(In reply to David Walser from comment #40) > Funda reported on the mageia-dev list that there's now also > CVE-2013-185[4-7] fixed in 2.3.18. Debian has issued an advisory for these on March 28: http://www.debian.org/security/2013/dsa-2655 from http://lwn.net/Vulnerabilities/545190/
Closing this now due to Mageia 2 EOL. http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/
Status: ASSIGNED => RESOLVEDResolution: (none) => OLDQA Contact: (none) => security