[v2.6] ruby-actionmailer: remote DoS and compromize (CVE-2013-6414 CVE-2013-6415 CVE-2013-6417)
CVE-2013-6414:
actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on
Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to
cause a denial of service (memory consumption) via a header containing
an invalid MIME type that leads to excessive caching.
•MLIST:[ruby-security-ann] 20131203 [CVE-2013-6414] Denial of
Service Vulnerability in Action View
•URL:
https://groups.google.com/forum/message/raw?msg=ruby-security-ann/A-ebV4WxzKg/KNPTbX8XAQUJ
•CONFIRM:
http://weblog.rubyonrails.org/2013/12/3/Rails\_3\_2\_16\_and\_4\_0\_2\_have\_been\_released/
•DEBIAN:DSA-2888
•URL: http://www.debian.org/security/2014/dsa-2888
•REDHAT:RHSA-2013:1794
•URL: http://rhn.redhat.com/errata/RHSA-2013-1794.html
•REDHAT:RHSA-2014:0008
•URL: http://rhn.redhat.com/errata/RHSA-2014-0008.html
•SUSE:openSUSE-SU-2013:1904
•URL: http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html
•SUSE:openSUSE-SU-2013:1906
•URL: http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html
•SUSE:openSUSE-SU-2013:1907
•URL: http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html
•SUSE:openSUSE-SU-2014:0009
•URL: http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html
CVE-2013-6415:
Cross-site scripting (XSS) vulnerability in the number_to_currency
helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby
on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to
inject arbitrary web script or HTML via the unit parameter.
•MLIST:[ruby-security-ann] 20131203 [CVE-2013-6415] XSS
Vulnerability in number_to_currency
•URL:
https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ
•CONFIRM:
http://weblog.rubyonrails.org/2013/12/3/Rails\_3\_2\_16\_and\_4\_0\_2\_have\_been\_released/
•DEBIAN:DSA-2888
•URL: http://www.debian.org/security/2014/dsa-2888
•REDHAT:RHSA-2013:1794
•URL: http://rhn.redhat.com/errata/RHSA-2013-1794.html
•REDHAT:RHSA-2014:0008
•URL: http://rhn.redhat.com/errata/RHSA-2014-0008.html
•SUSE:openSUSE-SU-2013:1904
•URL: http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html
•SUSE:openSUSE-SU-2013:1906
•URL: http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html
•SUSE:openSUSE-SU-2013:1907
•URL: http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html
•SUSE:openSUSE-SU-2014:0009
•URL: http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html
•SUSE:openSUSE-SU-2014:0019
•URL: http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html
•SUSE:openSUSE-SU-2013:1905
•URL: http://lists.opensuse.org/opensuse-updates/2013-12/msg00080.html
•SECUNIA:56093
•URL: http://secunia.com/advisories/56093
CVE-2013-6417:
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before
3.2.16 and 4.x before 4.0.2 does not properly consider differences in
parameter handling between the Active Record component and the JSON
implementation, which allows remote attackers to bypass intended
database-query restrictions and perform NULL checks or trigger missing
WHERE clauses via a crafted request that leverages (1) third-party Rack
middleware or (2) custom Rack middleware. NOTE: this vulnerability
exists because of an incomplete fix for CVE-2013-0155.
•MLIST:[ruby-security-ann] 20131203 [CVE-2013-6417] Incomplete fix
to CVE-2013-0155 (Unsafe Query Generation Risk)
•URL:
https://groups.google.com/forum/message/raw?msg=ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ
•CONFIRM:
http://weblog.rubyonrails.org/2013/12/3/Rails\_3\_2\_16\_and\_4\_0\_2\_have\_been\_released/
•DEBIAN:DSA-2888
•URL: http://www.debian.org/security/2014/dsa-2888
•REDHAT:RHSA-2013:1794
•URL: http://rhn.redhat.com/errata/RHSA-2013-1794.html
•REDHAT:RHSA-2014:0008
•URL: http://rhn.redhat.com/errata/RHSA-2014-0008.html
•SUSE:openSUSE-SU-2013:1904
•URL: http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html
•SUSE:openSUSE-SU-2013:1906
•URL: http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html
•SUSE:openSUSE-SU-2013:1907
•URL: http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html
•SUSE:openSUSE-SU-2014:0009
•URL: http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html
(from redmine: issue id 2808, created on 2014-04-03, closed on 2015-05-22)
- Relations:
- parent #2806 (closed)
- Changesets:
- Revision 58bc3dae by Kaarle Ritvanen on 2014-12-10T01:06:53Z:
main/ruby-rails: upgrade to 3.2.21
fixes #2579
fixes #2805
fixes #2808
fixes #2942
fixes #3151
fixes #3474
fixes #3580
fixes #3584
CVE-2013-0334
CVE-2013-4389
CVE-2013-4492
CVE-2013-6414
CVE-2013-6415
CVE-2013-6417
CVE-2014-0081
CVE-2014-0082
CVE-2014-0130
CVE-2014-3482
CVE-2014-3483
CVE-2014-7818
CVE-2014-7819
- Revision 6220de6d by Kaarle Ritvanen on 2014-12-10T01:07:22Z:
main/ruby-redmine-rails: upgrade to 3.2.21
fixes #2805
fixes #2808
fixes #2942
fixes #3151
fixes #3580
fixes #3584
CVE-2013-4389
CVE-2013-6414
CVE-2013-6415
CVE-2013-6417
CVE-2014-0081
CVE-2014-0082
CVE-2014-0130
CVE-2014-3482
CVE-2014-3483
CVE-2014-7818
CVE-2014-7819