Advisories ยป MGASA-2014-0303

Updated ruby-actionpack packages fix security issues

Publication date: 26 Jul 2014
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-0130 , CVE-2014-3483

Description

Updated ruby-actionpack and ruby-activerecord packages fix security
vulnerabilities:

Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb
in the implicit-render implementation in Ruby on Rails before 4.0.5, when
certain route globbing configurations are enabled, allows remote attackers to
read arbitrary files via a crafted request (CVE-2014-0130).

PostgreSQL supports a number of unique data types which are not present in
other supported databases.  A bug in the SQL quoting code in ActiveRecord in
Ruby on Rails before 4.0.7 can allow an attacker to inject arbitrary SQL using
carefully crafted values (CVE-2014-3483).

The associated Ruby on Rails packages have been updated to version 4.0.8, to
address these and other issues.
                

References

SRPMS

4/core