openSUSE Security Update: RubyOnRails: security version update to 2.3.17 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0462-1 Rating: moderate References: #798452 #803336 #803339 Cross-References: CVE-2013-0183 CVE-2013-0184 CVE-2013-0262 CVE-2013-0263 CVE-2013-0276 CVE-2013-0277 Affected Products: openSUSE 11.4 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: The Ruby on Rails 2.3 stack was updated to 2.3.17. The Ruby Rack was updated to 1.1.6. The updates fix various security issues and bugs. - update to version 2.3.17 (bnc#803336, bnc#803339) CVE-2013-0276 CVE-2013-0277: - update to version 2.3.17 (bnc#803336, bnc#803339) CVE-2013-0276 CVE-2013-0277: - Fix issue with attr_protected where malformed input could circumvent protection - Fix Serialized Attributes YAML Vulnerability - update to version 2.3.17 (bnc#803336, bnc#803339) CVE-2013-0276 CVE-2013-0277: - Fix issue with attr_protected where malformed input could circumvent protection - Fix Serialized Attributes YAML Vulnerability - update to 1.1.6 (bnc#802794) * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4: zypper in -t patch 2013-42 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4 (i586 x86_64): rubygem-actionmailer-2_3-2.3.17-0.24.1 rubygem-actionmailer-2_3-doc-2.3.17-0.24.1 rubygem-actionmailer-2_3-testsuite-2.3.17-0.24.1 rubygem-actionpack-2_3-2.3.17-31.1 rubygem-actionpack-2_3-doc-2.3.17-31.1 rubygem-actionpack-2_3-testsuite-2.3.17-31.1 rubygem-activerecord-2_3-2.3.17-27.1 rubygem-activerecord-2_3-doc-2.3.17-27.1 rubygem-activerecord-2_3-testsuite-2.3.17-27.1 rubygem-activeresource-2_3-2.3.17-24.1 rubygem-activeresource-2_3-doc-2.3.17-24.1 rubygem-activeresource-2_3-testsuite-2.3.17-24.1 rubygem-activesupport-2_3-2.3.17-24.1 rubygem-activesupport-2_3-doc-2.3.17-24.1 rubygem-rack-1.1.6-16.1 rubygem-rails-2_3-2.3.17-20.1 rubygem-rails-2_3-doc-2.3.17-20.1 - openSUSE 11.4 (noarch): rubygem-actionmailer-2.3.17-14.1 rubygem-actionpack-2.3.17-14.1 rubygem-activerecord-2.3.17-14.1 rubygem-activeresource-2.3.17-14.1 rubygem-activesupport-2.3.17-14.1 rubygem-rails-2.3.17-14.1 References: http://support.novell.com/security/cve/CVE-2013-0183.html http://support.novell.com/security/cve/CVE-2013-0184.html http://support.novell.com/security/cve/CVE-2013-0262.html http://support.novell.com/security/cve/CVE-2013-0263.html http://support.novell.com/security/cve/CVE-2013-0276.html http://support.novell.com/security/cve/CVE-2013-0277.html https://bugzilla.novell.com/798452 https://bugzilla.novell.com/803336 https://bugzilla.novell.com/803339