Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0124
rails security update
31 January 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: rails
Publisher: Debian
Operating System: Debian GNU/Linux 6
Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-0333
Reference: ESB-2013.0120
ESB-2013.0115
Original Bulletin:
http://www.debian.org/security/2013/dsa-2613
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running rails check for an updated version of the software for their
operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2613-1 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
January 29, 2013 http://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : rails
Vulnerability : insufficient input validation
Problem type : remote
Debian-specific: no
CVE ID : CVE-2013-0333
Debian Bug : 699226
Lawrence Pit discovered that Ruby on Rails, a web development framenwork,
is vulnerable to a flaw in the parsing of JSON to YAML. Using a specially
crafted payload attackers can trick the backend into decoding a subset of
YAML.
The vulnerability has been addressed by removing the YAML backend and
adding the OkJson backend.
For the stable distribution (squeeze), this problem has been fixed in
version 2.3.5-1.2+squeeze6.
For the testing distribution (wheezy), this problem will be fixed soon.
For the unstable distribution (sid), this problem has been fixed in
version 2.3.14-6 of the ruby-activesupport-2.3 package.
The 3.2 version of rails as found in Debian wheezy and sid is not
affected by the problem.
We recommend that you upgrade your rails packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJRCMynAAoJEFb2GnlAHawEZvsH/0sNi8g2d++J7xYFcFwFGLvW
srX8HBAlp38NAgq6J4mLCuI/UWo46A+PvG/2D38rWmX55DxeridYcvmWf5xDlbwq
wr8rlR6x0LpNyBqgneq3oobAfOuN6YrY0TQvdzIzzGG/5NS7/DahB6PaJdOMUFow
N4GhIjVCUCBs6R/kQKLtoBp82JbQKgL7C5MO1i74OKeYrxSJ1PiPa4O5zuZDy3Xg
rwWZBuTE6Y1Pf2ysyzAOcPvPCNLYKMy8UXcC2EOS89m3v2tuwUaI2n0RS1q4MagF
TtKaEL8S9bkJEnfRADNbfodAKD1ll0Nptf/PSsKJjDy1IF00pjKW9AsfLTJAdK8=
=XDO7
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUQnfNO4yVqjM2NGpAQKbTg//dqCc8ak5p/PTD7SS09GL0PzIfz48jj5j
29bDhd7FepXUCu6BQC1BWO3zU/WpZ1d8SMSB63uoSjg9X9eDonhDsOoOs66D8/X5
UBG95AgJogBawKCexgqWCif8E7VRAr5YdQ2Vn3O8JEYWDHH3GjAPf1EHN9uxAGe3
U6ZY0YhvwajdmvNUa2hyjT2G18pOvt4Oh2tVBzEYRrQsUbky6sBvq/kSmsC9P21A
xOJJvtvvu9CnN9vshu+JF9AxxaL7J5YgbTuzSXEF7CczlOUhU7FBhMv8dT2mePfD
VTvQnko/ciV8C7biMJAHMC/FD4gIROIrI3B0TNcMP3BMOXceeMpTTwys5TGNRk3w
26HJqGL5PYoyqkiAOdYPo3MOC4jvLyfBaRiN8nujuZUmdsa6/CvqkKt0Y0pmFZsX
RBgxz8GRdKJC7cZ3mfo3z9utmrX+mXS64w+qQwvqeHBZBTsLXGHZmJUTPUpJ+MBz
61siaWWFC7htlYiZ+X4gLk8CbJbBqJM9bpj6OvP86vowodoUbIv0dME58pIaHI36
HnIFwtN4rXXe6Dkv6MQea/FOpBTo6pzyxDIXayYMfArFJ+4p4S8LXa80xh3fUFZ6
/woYiFtEVqKiUZ6ix6UptZ1gNUVGtr8mSvlsWLY7rd5jB5XVqn10CpjnIIZQ6SQL
SSHVRxZ/gOM=
=2vko
-----END PGP SIGNATURE-----