Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0124 rails security update 31 January 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: rails Publisher: Debian Operating System: Debian GNU/Linux 6 Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-0333 Reference: ESB-2013.0120 ESB-2013.0115 Original Bulletin: http://www.debian.org/security/2013/dsa-2613 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running rails check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-2613-1 security@debian.org http://www.debian.org/security/ Thijs Kinkhorst January 29, 2013 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : rails Vulnerability : insufficient input validation Problem type : remote Debian-specific: no CVE ID : CVE-2013-0333 Debian Bug : 699226 Lawrence Pit discovered that Ruby on Rails, a web development framenwork, is vulnerable to a flaw in the parsing of JSON to YAML. Using a specially crafted payload attackers can trick the backend into decoding a subset of YAML. The vulnerability has been addressed by removing the YAML backend and adding the OkJson backend. For the stable distribution (squeeze), this problem has been fixed in version 2.3.5-1.2+squeeze6. For the testing distribution (wheezy), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 2.3.14-6 of the ruby-activesupport-2.3 package. The 3.2 version of rails as found in Debian wheezy and sid is not affected by the problem. We recommend that you upgrade your rails packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJRCMynAAoJEFb2GnlAHawEZvsH/0sNi8g2d++J7xYFcFwFGLvW srX8HBAlp38NAgq6J4mLCuI/UWo46A+PvG/2D38rWmX55DxeridYcvmWf5xDlbwq wr8rlR6x0LpNyBqgneq3oobAfOuN6YrY0TQvdzIzzGG/5NS7/DahB6PaJdOMUFow N4GhIjVCUCBs6R/kQKLtoBp82JbQKgL7C5MO1i74OKeYrxSJ1PiPa4O5zuZDy3Xg rwWZBuTE6Y1Pf2ysyzAOcPvPCNLYKMy8UXcC2EOS89m3v2tuwUaI2n0RS1q4MagF TtKaEL8S9bkJEnfRADNbfodAKD1ll0Nptf/PSsKJjDy1IF00pjKW9AsfLTJAdK8= =XDO7 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUQnfNO4yVqjM2NGpAQKbTg//dqCc8ak5p/PTD7SS09GL0PzIfz48jj5j 29bDhd7FepXUCu6BQC1BWO3zU/WpZ1d8SMSB63uoSjg9X9eDonhDsOoOs66D8/X5 UBG95AgJogBawKCexgqWCif8E7VRAr5YdQ2Vn3O8JEYWDHH3GjAPf1EHN9uxAGe3 U6ZY0YhvwajdmvNUa2hyjT2G18pOvt4Oh2tVBzEYRrQsUbky6sBvq/kSmsC9P21A xOJJvtvvu9CnN9vshu+JF9AxxaL7J5YgbTuzSXEF7CczlOUhU7FBhMv8dT2mePfD VTvQnko/ciV8C7biMJAHMC/FD4gIROIrI3B0TNcMP3BMOXceeMpTTwys5TGNRk3w 26HJqGL5PYoyqkiAOdYPo3MOC4jvLyfBaRiN8nujuZUmdsa6/CvqkKt0Y0pmFZsX RBgxz8GRdKJC7cZ3mfo3z9utmrX+mXS64w+qQwvqeHBZBTsLXGHZmJUTPUpJ+MBz 61siaWWFC7htlYiZ+X4gLk8CbJbBqJM9bpj6OvP86vowodoUbIv0dME58pIaHI36 HnIFwtN4rXXe6Dkv6MQea/FOpBTo6pzyxDIXayYMfArFJ+4p4S8LXa80xh3fUFZ6 /woYiFtEVqKiUZ6ix6UptZ1gNUVGtr8mSvlsWLY7rd5jB5XVqn10CpjnIIZQ6SQL SSHVRxZ/gOM= =2vko -----END PGP SIGNATURE-----