[opensuse-security] Re: [security-announce] SUSE-SU-2013:0606-1: important: Security update for Ruby on Rails

Sehr geehrte Damen und Herren, wegen eines Auslandsaufenthaltes kann ich die Nachricht vermutlich bis zum 4.4. nicht lesen. In dringenden Fällen stehe ich Ihnen unter +49 177 7902970 telefonisch zur Verfügung. Mit freundlichen Grüßen W. Lisiewicz ------------- Szanowni Państwo, z powodu pobytu za granicą nie będę prawdopodobnie mógł przeczytać Państwa wiadomości do dnia 4.4. W pilnych przypadkach jestem dostępny pod numerem telefonu +49 177 7902970. Pozdrawiam serdecznie W. Lisiewicz Am 03.04.2013 um 20:06 schrieb opensuse-security@opensuse.org:

  SUSE Security Update: Security update for Ruby on Rails ______________________________________________________________________________

Announcement ID:    SUSE-SU-2013:0606-1 Rating:             important References:         #796712 #797449 #797452 #800320 #803336 #803339

Cross-References:   CVE-2012-5664 CVE-2013-0155 CVE-2013-0156                    CVE-2013-0276 CVE-2013-0333 Affected Products:                    WebYaST 1.2                    SUSE Studio Standard Edition 1.2                    SUSE Studio Onsite 1.2                    SUSE Studio Extension for System z 1.2 ______________________________________________________________________________

  An update that solves 5 vulnerabilities and has one errata   is now available. It includes one version update.

Description:

  The Ruby on Rails stack has been updated to 2.3.17 to fix   various security  issues and bugs.

  The rails gems were updated to fix:

  * Unsafe Query Generation Risk in Ruby on Rails   (CVE-2013-0155)   * Multiple vulnerabilities in parameter parsing in   Action Pack (CVE-2013-0156)   * SQL Injection Vulnerability in Active Record   (CVE-2012-5664)   * rails: Vulnerability in JSON Parser in Ruby on Rails   3.0 and 2.3 (CVE-2013-0333)   * activerecord: Circumvention of attr_protected   (CVE-2013-0276)   * activerecord: Serialized Attributes YAML   Vulnerability with Rails 2.3 and 3.0 (CVE-2013-0277)

  Security Issue references:

  * CVE-2012-5664   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5664

  * CVE-2013-0155   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0155

  * CVE-2013-0156   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0156

  * CVE-2013-0333   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0333

  * CVE-2013-0276   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0276

  * CVE-2013-0276   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0276

Patch Instructions:

  To install this SUSE Security Update use YaST online_update.   Alternatively you can run the command listed for your product:

  - WebYaST 1.2:

     zypper in -t patch slewyst12-rubygem-actionmailer-2_3-7364

  - SUSE Studio Standard Edition 1.2:

     zypper in -t patch sleslms12-rubygem-actionmailer-2_3-7364

  - SUSE Studio Onsite 1.2:

     zypper in -t patch slestso12-rubygem-actionmailer-2_3-7364

  - SUSE Studio Extension for System z 1.2:

     zypper in -t patch slestso12-rubygem-actionmailer-2_3-7364

  To bring your system up-to-date, use "zypper patch".

Package List:

  - WebYaST 1.2 (i586 ia64 ppc64 s390x x86_64) [New Version: 2.3.17]:

     rubygem-actionmailer-2_3-2.3.17-0.6.1      rubygem-actionpack-2_3-2.3.17-0.6.1      rubygem-activerecord-2_3-2.3.17-0.6.1      rubygem-activeresource-2_3-2.3.17-0.6.1      rubygem-activesupport-2_3-2.3.17-0.6.1      rubygem-rails-2_3-2.3.17-0.6.2

  - SUSE Studio Standard Edition 1.2 (x86_64) [New Version: 2.3.17]:

     rubygem-actionmailer-2_3-2.3.17-0.6.1      rubygem-actionpack-2_3-2.3.17-0.6.1      rubygem-activerecord-2_3-2.3.17-0.6.1      rubygem-activeresource-2_3-2.3.17-0.6.1      rubygem-activesupport-2_3-2.3.17-0.6.1      rubygem-rails-2_3-2.3.17-0.6.2

  - SUSE Studio Standard Edition 1.2 (noarch) [New Version: 2.3.17]:

     rubygem-rails-2.3.17-0.4.6.1

  - SUSE Studio Onsite 1.2 (x86_64) [New Version: 2.3.17]:

     rubygem-actionmailer-2_3-2.3.17-0.6.1      rubygem-actionpack-2_3-2.3.17-0.6.1      rubygem-activerecord-2_3-2.3.17-0.6.1      rubygem-activeresource-2_3-2.3.17-0.6.1      rubygem-activesupport-2_3-2.3.17-0.6.1      rubygem-rails-2_3-2.3.17-0.6.2

  - SUSE Studio Extension for System z 1.2 (s390x) [New Version: 2.3.17]:

     rubygem-actionmailer-2_3-2.3.17-0.6.1      rubygem-actionpack-2_3-2.3.17-0.6.1      rubygem-activerecord-2_3-2.3.17-0.6.1      rubygem-activeresource-2_3-2.3.17-0.6.1      rubygem-activesupport-2_3-2.3.17-0.6.1      rubygem-rails-2_3-2.3.17-0.6.2

References:

  http://support.novell.com/security/cve/CVE-2012-5664.html   http://support.novell.com/security/cve/CVE-2013-0155.html   http://support.novell.com/security/cve/CVE-2013-0156.html   http://support.novell.com/security/cve/CVE-2013-0276.html   http://support.novell.com/security/cve/CVE-2013-0333.html   https://bugzilla.novell.com/796712   https://bugzilla.novell.com/797449   https://bugzilla.novell.com/797452   https://bugzilla.novell.com/800320   https://bugzilla.novell.com/803336   https://bugzilla.novell.com/803339   http://download.novell.com/patch/finder/?keywords=dfb687aafb848ceb562a7f371b...

-- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org