SuSE Update For Ruby OpenSUSE-SU-2013:0280-1 (ruby) Network Vulnerability

Solution

Please Install the Updated Packages.

Insight

This update updates the RubyOnRails 2.3 stack to 2.3.16. Security and bugfixes were done, foremost: CVE-2013-0333: A JSON sql/code injection problem was fixed. CVE-2012-5664: A SQL Injection Vulnerability in Active Record was fixed. CVE-2012-2695: A SQL injection via nested hashes in conditions was fixed. CVE-2013-0155: Unsafe Query Generation Risk in Ruby on Rails was fixed. CVE-2013-0156: Multiple vulnerabilities in parameter parsing in Action Pack were fixed. CVE-2012-5664: options hashes should only be extracted if there are extra parameters CVE-2012-2695: Fix SQL injection via nested hashes in conditions CVE-2013-0156: Hash.from_xml raises when it encounters type=&quot symbol&quot or type=&quot yaml&quot . Use Hash.from_trusted_xml to parse this XM

Affected

ruby on openSUSE 11.4

References

http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00005.html

Updated on 2015-03-25

Severity

Classification

CVE CVE-2012-2695, CVE-2012-5664, CVE-2013-0155, CVE-2013-0156, CVE-2013-0333

CVSS	Base Score: 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

SuSE Update for ruby openSUSE-SU-2013:0280-1 (ruby)

Take action and discover your vulnerabilities