Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2013.0042
[SEC] [ANN] Rails 3.2.13, 3.1.12, and 2.3.18 have been released!
20 March 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Ruby on Rails
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-1857 CVE-2013-1856 CVE-2013-1855
CVE-2013-1854
Member content until: Friday, April 19 2013
OVERVIEW
Multiple vulnerabilities have been identified in Ruby on Rails prior to
version 3.2.13, 3.1.12, and 2.3.18. [1]
IMPACT
The vendor has provided the following information:
"Symbol DoS vulnerability in Active Record
There is a symbol DoS vulnerability in Active Record. This
vulnerability has been assigned the CVE identifier CVE-2013-1854.
Versions Affected: 3.2.x, 3.1.x, 2.3.x
Not affected: 3.0.x
Fixed Versions: 3.2.13, 3.1.12, 2.3.18" [2]
"XSS vulnerability in sanitize_css in Action Pack
There is an XSS vulnerability in the `sanitize_css` method in Action
Pack. This vulnerability has been assigned the CVE identifier
CVE-2013-1855.
Versions Affected: All.
Not affected: None.
Fixed Versions: 3.2.13, 3.1.12, 2.3.18" [3]
"XML Parsing Vulnerability affecting JRuby users
There is a vulnerability in the JDOM backend to ActiveSupport's XML
parser. This could allow an attacker to perform a denial of service
attack or gain access to files stored on the application server.
This vulnerability has been assigned the CVE identifier CVE-2013-1856.
Versions Affected: 3.0.0 and All Later Versions when using JRuby
Not affected: Applications not using JRuby or JRuby applications
not using the JDOM backend.
Fixed Versions: 3.2.13, 3.1.12" [4]
"XSS Vulnerability in the `sanitize` helper of Ruby on Rails
There is an XSS vulnerability in the sanitize helper in Ruby on Rails.
This vulnerability has been assigned the CVE identifier CVE-2013-1857.
Versions Affected: All.
Not affected: None.
Fixed Versions: 3.2.13, 3.1.12, 2.3.18" [5]
MITIGATION
The vendor recommends upgrading to versions 3.2.13, 3.1.12, or 2.3.18.
[1]
REFERENCES
[1] [SEC] [ANN] Rails 3.2.13, 3.1.12, and 2.3.18 have been released!
http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/
[2] [CVE-2013-1854] Symbol DoS vulnerability in Active Record
https://groups.google.com/forum/#!topic/ruby-security-ann/o0Dsdk2WrQ0
[3] [CVE-2013-1855] XSS vulnerability in sanitize_css in Action Pack
https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_QHo4BqnN8
[4] [CVE-2013-1856] XML Parsing Vulnerability affecting JRuby users
https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/KZwsQbYsOiI
[5] [CVE-2013-1857] XSS Vulnerability in the `sanitize` helper of Ruby
on Rails
https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/zAAU7vGTPvI
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUUkKRO4yVqjM2NGpAQLkHQ//aS5+e7SMSSJSd3ZtdvCL/YMcnH0ZPloP
aA+U5LwwHazCk8aB/XSlBVOE3+EoukxzBaMtagthGqKBLIoTwinPEe2Sm6fr+t1M
GgsPFiCEts+azpKF8KQVgR+JU303XWSCQmTeQule5prGzdFpAVJKf68l3v0oShIu
SgfPj67SvvG0zApiIXjBBjseHX/MKmjP4/febwZg9w4FEPWXa2ZvVZCBgXW9UV3F
p78sYiBKO0C8O4mANwY0MT/pC9jVwAqb8bWgTB6bMbcMS04yRHcWhyqSSRAh6f0n
nmrT9S8QfdLs5lCov/OGBBDESH8Vs7JbB6g5Ee9VUjxpnZQnzGjxLqZirGBmnhxd
EKjb4SrqHj1QJ5CD/2O/TA8S31eyb4MvXp7JeyzGYDREXBHuowIRWA+EaTOIIwG6
DrJMgmxSNYohNh2DhCciSV3XIm2vQzhBaBZ9J/IkhkQmhA1IF2uatxjz2IRipt5O
kTiYi2o+/sdFbveCogzzPtLHOpFRAI9AC+g/0DdVrUUpa9D85I8s811+mlYy/1ZR
F50f4pEIs4EAZvLA/wKh1NVSjPagDE73D1GHV8age2sT/BKnwzNM+X/5H7zxdwur
ReaCPj6p4GA2o7/rbAdPyrBOseP3Kd50Ev/g6BDxHHloX/ANJkYRuvv8Jx8GB4fS
cYM20sEAAuk=
=7Yy6
-----END PGP SIGNATURE-----