Joined: 12 May 2004
|Posted: Sun Dec 14, 2014 9:26 pm Post subject: [ GLSA 201412-28 ] Ruby on Rails: Multiple vulnerabilities
|Gentoo Linux Security Advisory
Title: Ruby on Rails: Multiple vulnerabilities (GLSA 201412-28)
Date: December 14, 2014
Bug(s): #354249, #379511, #386377, #450974, #453844, #456840, #462452
Multiple vulnerabilities were found in Ruby on Rails, the worst of
which allowing for execution of arbitrary code.
Ruby on Rails is a web-application and persistence framework.
Vulnerable: < 2.3.18
Unaffected: >= 2.3.18
Architectures: All supported architectures
Multiple vulnerabilities have been discovered in Ruby on Rails. Please
review the CVE identifiers referenced below for details.
A remote attacker could execute arbitrary code or cause a Denial of
Service condition. Furthermore, a remote attacker may be able to execute
arbitrary SQL commands, change parameter names for form inputs and make
changes to arbitrary records in the system, bypass intended access
restrictions, render arbitrary views, inject arbitrary web script or
HTML, or conduct cross-site request forgery (CSRF) attacks.
There is no known workaround at this time.
All Ruby on Rails 2.x users should upgrade to the latest version:
NOTE: All applications using Ruby on Rails should also be configured to
|# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-ruby/rails-2.3.18"
use the latest version available by running “rake rails:update”
inside the application directory.
NOTE: This is a legacy GLSA and stable updates for Ruby on Rails,
including the unaffected version listed above, are no longer available
from Gentoo. It may be possible to upgrade to the 3.2, 4.0, or 4.1
branches, however these packages are not currently stable.
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum