Ubuntu
ruby-actionpack-3.2 package

Unsafe Query Generation Risk in Ruby on Rails

Bug #1100162 reported by Christian Kuersteiner on 2013-01-16

This bug report is a duplicate of: Bug #1100188: Unsafe Query Generation Risk in Ruby on Rails. Edit Remove

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	ruby-actionpack-3.2 (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

There is a vulnerability when Active Record is used in conjunction with JSON parameter parsing.

Versions Affected: 3.x series
Not affected: 2.x series

See also: http://www.openwall.com/lists/oss-security/2013/01/08/13

Related branches

lp:ubuntu/quantal-security/ruby-actionpack-3.2

CVE References

2013-0155

Christian Kuersteiner (ckuerste) on 2013-01-16

information type:

Private Security → Public Security

Revision history for this message

Christian Kuersteiner (ckuerste) wrote on 2013-01-17:

#1

According to https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/c7jT-EeN9eI all version (as well 2.x) is affected.

Revision history for this message

Christian Kuersteiner (ckuerste) wrote on 2013-01-17:

#2

lp1100162-quantal.debdiff Edit (4.1 KiB, text/plain)

Patch for quantal

Changed in ruby-actionpack-3.2 (Ubuntu):
status:	New → Confirmed

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2013-01-17:

#3

hrm, this is actually being tracked in bug #1100188. Can you submit your debdiff there instead?

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2013-01-17:

#4

@Christian

> hrm, this is actually being tracked in bug #1100188. Can you submit your debdiff there instead?

Nevermind, I did it for you. Please subscribe to bug #1100188. Thanks!

Revision history for this message

Launchpad Janitor (janitor) wrote on 2013-01-18:

#5

This bug was fixed in the package ruby-actionpack-3.2 - 3.2.6-4ubuntu0.1

---------------
ruby-actionpack-3.2 (3.2.6-4ubuntu0.1) quantal-security; urgency=low

  * SECURITY UPDATE: Unsafe Query Generation Risk in Ruby on Rails
    (LP: #1100162)
    - debian/patches/CVE-2013-0155: Strip nils from collections on JSON and
      XML posts. Based on upstream patch.
    - CVE-2013-0155
-- Christian Kuersteiner <email address hidden> Wed, 16 Jan 2013 14:20:55 +0700

Changed in ruby-actionpack-3.2 (Ubuntu):
status:	Confirmed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicate of bug #1100188 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

lp1100162-quantal.debdiff Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.