openSUSE Security Update: RubyOnRails: security version update to 2.3.17 or 3.2.12 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0338-1 Rating: moderate References: #798452 #802794 #802795 #803336 #803339 Cross-References: CVE-2012-6109 CVE-2013-0183 CVE-2013-0184 CVE-2013-0262 CVE-2013-0263 CVE-2013-0276 CVE-2013-0277 Affected Products: openSUSE 12.2 openSUSE 12.1 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: The Ruby on Rails 2.3 stack was updated to 2.3.17. The Ruby on Rails 3.2 stack was updated to 3.2.12. The Ruby Rack was updated to 1.1.6. The Ruby Rack was updated to 1.2.8. The Ruby Rack was updated to 1.3.10. The Ruby Rack was updated to 1.4.5. The updates fix various security issues and bugs. - update to version 2.3.17 (bnc#803336, bnc#803339) CVE-2013-0276 CVE-2013-0277: - update to version 3.2.12 (bnc#803336) CVE-2013-0276: - update to version 3.2.12 (bnc#803336) CVE-2013-0276: issue with attr_protected where malformed input could circumvent protection - update to version 2.3.17 (bnc#803336, bnc#803339) CVE-2013-0276 CVE-2013-0277: - Fix issue with attr_protected where malformed input could circumvent protection - Fix Serialized Attributes YAML Vulnerability - update to version 2.3.17 (bnc#803336, bnc#803339) CVE-2013-0276 CVE-2013-0277: - Fix issue with attr_protected where malformed input could circumvent protection - Fix Serialized Attributes YAML Vulnerability - update to version 3.2.12 (bnc#803336) CVE-2013-0276: - Quote numeric values being compared to non-numeric columns. Otherwise, in some database, the string column values will be coerced to a numeric allowing 0, 0.0 or false to match any string starting with a non-digit. - update to 1.1.6 (bnc#802794) * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie - update to 1.2.8 (bnc#802794) * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie - update to 1.3.10 (bnc#802794) * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie - ruby rack update to 1.4.5 (bnc#802794 bnc#802795) * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie * Fix CVE-2013-0262, symlink path traversal in Rack::File - ruby rack update to 1.4.4 (bnc#798452) * [SEC] Rack::Auth::AbstractRequest no longer symbolizes arbitrary strings (CVE-2013-0184) - ruby rack changes from 1.4.3 * Security: Prevent unbounded reads in large multipart boundaries (CVE-2013-0183) - ruby rack changes from 1.4.2 (CVE-2012-6109) * Add warnings when users do not provide a session secret * Fix parsing performance for unquoted filenames * Updated URI backports * Fix URI backport version matching, and silence constant warnings * Correct parameter parsing with empty values * Correct rackup '-I' flag, to allow multiple uses * Correct rackup pidfile handling * Report rackup line numbers correctly * Fix request loops caused by non-stale nonces with time limits * Fix reloader on Windows * Prevent infinite recursions from Response#to_ary * Various middleware better conforms to the body close specification * Updated language for the body close specification * Additional notes regarding ECMA escape compatibility issues * Fix the parsing of multiple ranges in range headers * Prevent errors from empty parameter keys * Added PATCH verb to Rack::Request * Various documentation updates * Fix session merge semantics (fixes rack-test) * Rack::Static :index can now handle multiple directories * All tests now utilize Rack::Lint (special thanks to Lars Gierth) * Rack::File cache_control parameter is now deprecated, and removed by 1.5 * Correct Rack::Directory script name escaping * Rack::Static supports header rules for sophisticated configurations * Multipart parsing now works without a Content-Length header * New logos courtesy of Zachary Scott! * Rack::BodyProxy now explicitly defines #each, useful for C extensions * Cookies that are not URI escaped no longer cause exceptions Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.2: zypper in -t patch openSUSE-2013-152 - openSUSE 12.1: zypper in -t patch openSUSE-2013-152 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.2 (i586 x86_64): rubygem-actionmailer-2_3-2.3.17-2.9.1 rubygem-actionmailer-2_3-doc-2.3.17-2.9.1 rubygem-actionmailer-2_3-testsuite-2.3.17-2.9.1 rubygem-actionmailer-3_2-3.2.12-2.13.1 rubygem-actionmailer-3_2-doc-3.2.12-2.13.1 rubygem-actionpack-2_3-2.3.17-2.17.1 rubygem-actionpack-2_3-doc-2.3.17-2.17.1 rubygem-actionpack-2_3-testsuite-2.3.17-2.17.1 rubygem-actionpack-3_2-3.2.12-3.13.1 rubygem-actionpack-3_2-doc-3.2.12-3.13.1 rubygem-activemodel-3_2-3.2.12-2.13.1 rubygem-activemodel-3_2-doc-3.2.12-2.13.1 rubygem-activerecord-2_3-2.3.17-2.13.1 rubygem-activerecord-2_3-doc-2.3.17-2.13.1 rubygem-activerecord-2_3-testsuite-2.3.17-2.13.1 rubygem-activerecord-3_2-3.2.12-2.13.1 rubygem-activerecord-3_2-doc-3.2.12-2.13.1 rubygem-activeresource-2_3-2.3.17-2.9.1 rubygem-activeresource-2_3-doc-2.3.17-2.9.1 rubygem-activeresource-2_3-testsuite-2.3.17-2.9.1 rubygem-activeresource-3_2-3.2.12-2.13.1 rubygem-activeresource-3_2-doc-3.2.12-2.13.1 rubygem-activesupport-2_3-2.3.17-3.13.1 rubygem-activesupport-2_3-doc-2.3.17-3.13.1 rubygem-activesupport-3_2-3.2.12-2.13.1 rubygem-activesupport-3_2-doc-3.2.12-2.13.1 rubygem-rack-1_1-1.1.6-6.9.1 rubygem-rack-1_1-doc-1.1.6-6.9.1 rubygem-rack-1_1-testsuite-1.1.6-6.9.1 rubygem-rack-1_2-1.2.8-2.9.1 rubygem-rack-1_2-doc-1.2.8-2.9.1 rubygem-rack-1_2-testsuite-1.2.8-2.9.1 rubygem-rack-1_3-1.3.10-2.9.1 rubygem-rack-1_3-doc-1.3.10-2.9.1 rubygem-rack-1_3-testsuite-1.3.10-2.9.1 rubygem-rack-1_4-1.4.5-2.9.1 rubygem-rack-1_4-doc-1.4.5-2.9.1 rubygem-rack-1_4-testsuite-1.4.5-2.9.1 rubygem-rails-2_3-2.3.17-3.9.1 rubygem-rails-2_3-doc-2.3.17-3.9.1 rubygem-rails-3_2-3.2.12-2.13.1 rubygem-rails-3_2-doc-3.2.12-2.13.1 rubygem-railties-3_2-3.2.12-2.13.1 rubygem-railties-3_2-doc-3.2.12-2.13.1 - openSUSE 12.2 (noarch): rubygem-actionmailer-2.3.17-2.9.1 rubygem-actionpack-2.3.17-2.9.1 rubygem-activerecord-2.3.17-3.9.1 rubygem-activeresource-2.3.17-3.9.1 rubygem-activesupport-2.3.17-3.9.1 rubygem-rails-2.3.17-3.9.1 - openSUSE 12.1 (i586 x86_64): rubygem-actionmailer-2_3-2.3.17-3.13.2 rubygem-actionmailer-2_3-doc-2.3.17-3.13.2 rubygem-actionmailer-2_3-testsuite-2.3.17-3.13.2 rubygem-actionpack-2_3-2.3.17-3.20.2 rubygem-actionpack-2_3-doc-2.3.17-3.20.2 rubygem-actionpack-2_3-testsuite-2.3.17-3.20.2 rubygem-activerecord-2_3-2.3.17-3.16.1 rubygem-activerecord-2_3-doc-2.3.17-3.16.1 rubygem-activerecord-2_3-testsuite-2.3.17-3.16.1 rubygem-activeresource-2_3-2.3.17-3.13.1 rubygem-activeresource-2_3-doc-2.3.17-3.13.1 rubygem-activeresource-2_3-testsuite-2.3.17-3.13.1 rubygem-activesupport-2_3-2.3.17-3.17.1 rubygem-activesupport-2_3-doc-2.3.17-3.17.1 rubygem-rack-1_1-1.1.6-3.9.1 rubygem-rack-1_1-doc-1.1.6-3.9.1 rubygem-rack-1_1-testsuite-1.1.6-3.9.1 rubygem-rails-2_3-2.3.17-3.13.1 rubygem-rails-2_3-doc-2.3.17-3.13.1 - openSUSE 12.1 (noarch): rubygem-actionmailer-2.3.17-2.11.1 rubygem-actionpack-2.3.17-2.11.1 rubygem-activerecord-2.3.17-2.11.1 rubygem-activeresource-2.3.17-2.11.1 rubygem-activesupport-2.3.17-2.11.1 rubygem-rails-2.3.17-2.11.1 References: http://support.novell.com/security/cve/CVE-2012-6109.html http://support.novell.com/security/cve/CVE-2013-0183.html http://support.novell.com/security/cve/CVE-2013-0184.html http://support.novell.com/security/cve/CVE-2013-0262.html http://support.novell.com/security/cve/CVE-2013-0263.html http://support.novell.com/security/cve/CVE-2013-0276.html http://support.novell.com/security/cve/CVE-2013-0277.html https://bugzilla.novell.com/798452 https://bugzilla.novell.com/802794 https://bugzilla.novell.com/802795 https://bugzilla.novell.com/803336 https://bugzilla.novell.com/803339