ruby on rails security update to 2.3.16
This update updates the RubyOnRails 2.3 stack to 2.3.16, also
this update updates the RubyOnRails 3.2 stack to 3.2.11.
Security and bugfixes were done, foremost:
CVE-2013-0333: A JSON sql/code injection problem was fixed.
CVE-2012-5664: A SQL Injection Vulnerability in Active Record was fixed.
CVE-2012-2695: A SQL injection via nested hashes in conditions was fixed.
CVE-2013-0155: Unsafe Query Generation Risk in Ruby on Rails was fixed.
CVE-2013-0156: Multiple vulnerabilities in parameter parsing in Action Pack were fixed.
-
Submitted by
Marcus Rueckert (darix)
Fixed bugs
bnc#766792
VUL-0: rubygem-activerecord: SQL Injection (CVE-2012-2695)
bnc#775649
VUL-0: CVE-2012-3465: rubygem-rails: strip_tags helper incorrenctly handels malformed HTML resulting in XSS flaw
bnc#775653
VUL-0: CVE-2012-3464: rubygem-rails: XSS flaws when validating single quote characters
bnc#796712
VUL-0: CVE-2012-5664: rubygem-activerecord: SQL Injection Vulnerability in Active Record
bnc#797449
VUL-0: rubygem-activerecord*: Unsafe Query Generation Risk in Ruby on Rails (CVE-2013-0155)
bnc#797452
VUL-0: CVE-2013-0156: rubygem-actionpack*: Multiple vulnerabilities in parameter parsing in Action Pack
bnc#798452
VUL-0: rubygem-rack*: 3 DoS conditions in Rack
bnc#798458
VUL-1: CVE-2013-0179: memcached: DoS when printing out keys to be deleted in verbose mode
bnc#800320
VUL-0: CVE-2013-0333: rubygem-activesupport*: Vulnerability in JSON Parser in Ruby on Rails 3.0 and 2.3
