-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2013.0042
     [SEC] [ANN] Rails 3.2.13, 3.1.12, and 2.3.18 have been released!
                               20 March 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Ruby on Rails
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Denial of Service        -- Remote/Unauthenticated      
                      Cross-site Scripting     -- Remote with User Interaction
                      Access Confidential Data -- Remote/Unauthenticated      
Resolution:           Patch/Upgrade
CVE Names:            CVE-2013-1857 CVE-2013-1856 CVE-2013-1855
                      CVE-2013-1854  
Member content until: Friday, April 19 2013

OVERVIEW

        Multiple vulnerabilities have been identified in Ruby on Rails prior to
        version 3.2.13, 3.1.12, and 2.3.18. [1]


IMPACT

        The vendor has provided the following information:
        
        "Symbol DoS vulnerability in Active Record
        
        There is a symbol DoS vulnerability in Active Record. This 
        vulnerability has been assigned the CVE identifier CVE-2013-1854.
        
        Versions Affected:  3.2.x, 3.1.x, 2.3.x
        Not affected:       3.0.x
        Fixed Versions:     3.2.13, 3.1.12, 2.3.18" [2]
        
        "XSS vulnerability in sanitize_css in Action Pack
        
        There is an XSS vulnerability in the `sanitize_css` method in Action 
        Pack. This vulnerability has been assigned the CVE identifier 
        CVE-2013-1855.
        
        Versions Affected:  All.
        Not affected:       None.
        Fixed Versions:     3.2.13, 3.1.12, 2.3.18" [3]
        
        "XML Parsing Vulnerability affecting JRuby users
        
        There is a vulnerability in the JDOM backend to ActiveSupport's XML 
        parser.  This could allow an attacker to perform a denial of service 
        attack or gain access to files stored on the application server.  
        This vulnerability has been assigned the CVE identifier CVE-2013-1856.
        
        Versions Affected:  3.0.0 and All Later Versions when using JRuby
        Not affected:       Applications not using JRuby or JRuby applications
        not using the JDOM backend.        
        Fixed Versions:     3.2.13, 3.1.12" [4]
        
        "XSS Vulnerability in the `sanitize` helper of Ruby on Rails
        
        There is an XSS vulnerability in the sanitize helper in Ruby on Rails.
        This vulnerability has been assigned the CVE identifier CVE-2013-1857.
        
        Versions Affected:  All.
        Not affected:       None.
        Fixed Versions:     3.2.13, 3.1.12, 2.3.18" [5]


MITIGATION

        The vendor recommends upgrading to versions 3.2.13, 3.1.12, or 2.3.18.
        [1] 


REFERENCES

        [1] [SEC] [ANN] Rails 3.2.13, 3.1.12, and 2.3.18 have been released!
            http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/

        [2] [CVE-2013-1854] Symbol DoS vulnerability in Active Record
            https://groups.google.com/forum/#!topic/ruby-security-ann/o0Dsdk2WrQ0

        [3] [CVE-2013-1855] XSS vulnerability in sanitize_css in Action Pack
            https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_QHo4BqnN8

        [4] [CVE-2013-1856] XML Parsing Vulnerability affecting JRuby users
            https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/KZwsQbYsOiI

        [5] [CVE-2013-1857] XSS Vulnerability in the `sanitize` helper of Ruby
            on Rails
            https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/zAAU7vGTPvI

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUUkKRO4yVqjM2NGpAQLkHQ//aS5+e7SMSSJSd3ZtdvCL/YMcnH0ZPloP
aA+U5LwwHazCk8aB/XSlBVOE3+EoukxzBaMtagthGqKBLIoTwinPEe2Sm6fr+t1M
GgsPFiCEts+azpKF8KQVgR+JU303XWSCQmTeQule5prGzdFpAVJKf68l3v0oShIu
SgfPj67SvvG0zApiIXjBBjseHX/MKmjP4/febwZg9w4FEPWXa2ZvVZCBgXW9UV3F
p78sYiBKO0C8O4mANwY0MT/pC9jVwAqb8bWgTB6bMbcMS04yRHcWhyqSSRAh6f0n
nmrT9S8QfdLs5lCov/OGBBDESH8Vs7JbB6g5Ee9VUjxpnZQnzGjxLqZirGBmnhxd
EKjb4SrqHj1QJ5CD/2O/TA8S31eyb4MvXp7JeyzGYDREXBHuowIRWA+EaTOIIwG6
DrJMgmxSNYohNh2DhCciSV3XIm2vQzhBaBZ9J/IkhkQmhA1IF2uatxjz2IRipt5O
kTiYi2o+/sdFbveCogzzPtLHOpFRAI9AC+g/0DdVrUUpa9D85I8s811+mlYy/1ZR
F50f4pEIs4EAZvLA/wKh1NVSjPagDE73D1GHV8age2sT/BKnwzNM+X/5H7zxdwur
ReaCPj6p4GA2o7/rbAdPyrBOseP3Kd50Ev/g6BDxHHloX/ANJkYRuvv8Jx8GB4fS
cYM20sEAAuk=
=7Yy6
-----END PGP SIGNATURE-----