[SECURITY] [DSA 2301-2] rails regression

2012-01-2318:35:53

lists.debian.org

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

70.2%

JSON

Debian Security Advisory DSA-2392-1 [email protected]
http://www.debian.org/security/
January 23, 2012 http://www.debian.org/security/faq

Package : rails
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-2930 CVE-2011-2931 CVE-2011-3186 CVE-2009-4214
Debian Bug : 629067

It was discovered that the last security update for Ruby on Rails,
DSA-2301-1, introduced a regression in the libactionpack-ruby package.

For the oldstable distribution (lenny), this problem has been fixed in
version 2.1.0-7+lenny2.

For the stable distribution (squeeze), this problem has been fixed in
version 2.3.5-1.2+squeeze2.

We recommend that you upgrade your rails packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian6allrails< 2.3.5-1.2+squeeze2rails_2.3.5-1.2+squeeze2_all.deb
Debian6alllibactionpack-ruby< 2.3.5-1.2+squeeze1libactionpack-ruby_2.3.5-1.2+squeeze1_all.deb
Debian6alllibactiverecord-ruby< 2.3.5-1.2+squeeze1libactiverecord-ruby_2.3.5-1.2+squeeze1_all.deb
Debian6alllibactiverecord-ruby1.9.1< 2.3.5-1.2+squeeze1libactiverecord-ruby1.9.1_2.3.5-1.2+squeeze1_all.deb
Debian6alllibactiveresource-ruby< 2.3.5-1.2+squeeze1libactiveresource-ruby_2.3.5-1.2+squeeze1_all.deb
Debian6alllibactivesupport-ruby1.8< 2.3.5-1.2+squeeze2libactivesupport-ruby1.8_2.3.5-1.2+squeeze2_all.deb
Debian5allrails< 2.1.0-7+lenny1rails_2.1.0-7+lenny1_all.deb
Debian6alllibactionmailer-ruby< 2.3.5-1.2+squeeze1libactionmailer-ruby_2.3.5-1.2+squeeze1_all.deb
Debian6alllibactiverecord-ruby< 2.3.5-1.2+squeeze2libactiverecord-ruby_2.3.5-1.2+squeeze2_all.deb
Debian6alllibactionpack-ruby1.8< 2.3.5-1.2+squeeze2libactionpack-ruby1.8_2.3.5-1.2+squeeze2_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	6	all	rails	< 2.3.5-1.2+squeeze2	rails_2.3.5-1.2+squeeze2_all.deb
Debian	6	all	libactionpack-ruby	< 2.3.5-1.2+squeeze1	libactionpack-ruby_2.3.5-1.2+squeeze1_all.deb
Debian	6	all	libactiverecord-ruby	< 2.3.5-1.2+squeeze1	libactiverecord-ruby_2.3.5-1.2+squeeze1_all.deb
Debian	6	all	libactiverecord-ruby1.9.1	< 2.3.5-1.2+squeeze1	libactiverecord-ruby1.9.1_2.3.5-1.2+squeeze1_all.deb
Debian	6	all	libactiveresource-ruby	< 2.3.5-1.2+squeeze1	libactiveresource-ruby_2.3.5-1.2+squeeze1_all.deb
Debian	6	all	libactivesupport-ruby1.8	< 2.3.5-1.2+squeeze2	libactivesupport-ruby1.8_2.3.5-1.2+squeeze2_all.deb
Debian	5	all	rails	< 2.1.0-7+lenny1	rails_2.1.0-7+lenny1_all.deb
Debian	6	all	libactionmailer-ruby	< 2.3.5-1.2+squeeze1	libactionmailer-ruby_2.3.5-1.2+squeeze1_all.deb
Debian	6	all	libactiverecord-ruby	< 2.3.5-1.2+squeeze2	libactiverecord-ruby_2.3.5-1.2+squeeze2_all.deb
Debian	6	all	libactionpack-ruby1.8	< 2.3.5-1.2+squeeze2	libactionpack-ruby1.8_2.3.5-1.2+squeeze2_all.deb