Updated ruby-actionpack packages fix security issues
Publication date: 26 Jul 2014Modification date: 26 Jul 2014
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-0130 , CVE-2014-3483
Description
Updated ruby-actionpack and ruby-activerecord packages fix security
vulnerabilities:
Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb
in the implicit-render implementation in Ruby on Rails before 4.0.5, when
certain route globbing configurations are enabled, allows remote attackers to
read arbitrary files via a crafted request (CVE-2014-0130).
PostgreSQL supports a number of unique data types which are not present in
other supported databases. A bug in the SQL quoting code in ActiveRecord in
Ruby on Rails before 4.0.7 can allow an attacker to inject arbitrary SQL using
carefully crafted values (CVE-2014-3483).
The associated Ruby on Rails packages have been updated to version 4.0.8, to
address these and other issues.
References
- http://weblog.rubyonrails.org/2014/5/6/Rails_3_2_18_4_0_5_and_4_1_1_have_been_released/
- http://weblog.rubyonrails.org/2014/6/26/Rails-4-1-2-and-4-0-6-has-been-released/
- http://weblog.rubyonrails.org/2014/7/2/Rails_3_2_19_4_0_7_and_4_1_3_have_been_released/
- http://weblog.rubyonrails.org/2014/7/2/Rails_4_0_8_and_4_1_4_have_been_released/
- https://bugs.mageia.org/show_bug.cgi?id=13659
- https://bugs.mageia.org/show_bug.cgi?id=13339
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0130
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3483
SRPMS
4/core
- ruby-actionmailer-4.0.8-1.mga4
- ruby-actionpack-4.0.8-1.mga4
- ruby-activemodel-4.0.8-1.mga4
- ruby-activerecord-4.0.8-1.mga4
- ruby-activesupport-4.0.8-1.mga4
- ruby-rails-4.0.8-1.mga4
- ruby-railties-4.0.8-1.mga4