Debian Bug report logs - #699226
rails: CVE-2013-0333: Vulnerability in JSON Parser in Ruby on Rails 3.0 and 2.3

version graph

Package: rails; Maintainer for rails is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>; Source for rails is src:rails.

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 29 Jan 2013 10:06:01 UTC

Severity: grave

Tags: security

Fixed in version rails/2.3.5-1.2+squeeze6

Done: Antonio Terceiro <terceiro@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#699226; Package rails. (Tue, 29 Jan 2013 10:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Tue, 29 Jan 2013 10:06:03 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: rails: CVE-2013-0333: Vulnerability in JSON Parser in Ruby on Rails 3.0 and 2.3
Date: Tue, 29 Jan 2013 11:04:00 +0100
Package: rails
Severity: grave
Tags: security
Justification: user security hole

Hi

The following advisory was made for rails:

 [1] http://weblog.rubyonrails.org/
 [2]: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo

Disclaimer: I have not checked which versions in Debian might be
affected. Can you check and adjust the affected versions?

Regards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#699226; Package rails. (Tue, 29 Jan 2013 14:42:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Antonio Terceiro <terceiro@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Tue, 29 Jan 2013 14:42:05 GMT) Full text and rfc822 format available.

Message #10 received at 699226@bugs.debian.org (full text, mbox):

From: Antonio Terceiro <terceiro@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>, 699226@bugs.debian.org
Subject: Re: Bug#699226: rails: CVE-2013-0333: Vulnerability in JSON Parser in Ruby on Rails 3.0 and 2.3
Date: Tue, 29 Jan 2013 11:39:35 -0300
[Message part 1 (text/plain, inline)]
Control: clone 699226 -1
Control: reassign -1 ruby-activesupport-2.3

On Tue, Jan 29, 2013 at 11:04:00AM +0100, Salvatore Bonaccorso wrote:
> The following advisory was made for rails:
> 
>  [1] http://weblog.rubyonrails.org/
>  [2]: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo
> 
> Disclaimer: I have not checked which versions in Debian might be
> affected. Can you check and adjust the affected versions?

stable is affected (package rails), a security upload was already made.

testing/unstable is also affected (package ruby-activesupport-2.3), so I
am cloning this bug to that package as well.

Thanks,

-- 
Antonio Terceiro <terceiro@debian.org>
[signature.asc (application/pgp-signature, inline)]

Bug 699226 cloned as bug 699249 Request was from Antonio Terceiro <terceiro@debian.org> to 699226-submit@bugs.debian.org. (Tue, 29 Jan 2013 14:42:05 GMT) Full text and rfc822 format available.

Reply sent to Antonio Terceiro <terceiro@debian.org>:
You have taken responsibility. (Wed, 30 Jan 2013 21:03:06 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 30 Jan 2013 21:03:06 GMT) Full text and rfc822 format available.

Message #17 received at 699226-close@bugs.debian.org (full text, mbox):

From: Antonio Terceiro <terceiro@debian.org>
To: 699226-close@bugs.debian.org
Subject: Bug#699226: fixed in rails 2.3.5-1.2+squeeze6
Date: Wed, 30 Jan 2013 21:02:06 +0000
Source: rails
Source-Version: 2.3.5-1.2+squeeze6

We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 699226@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antonio Terceiro <terceiro@debian.org> (supplier of updated rails package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 29 Jan 2013 13:37:42 +0000
Source: rails
Binary: rails rails-ruby1.8 rails-doc libactiverecord-ruby libactiverecord-ruby1.8 libactiverecord-ruby1.9.1 libactivesupport-ruby libactivesupport-ruby1.8 libactivesupport-ruby1.9.1 libactionpack-ruby libactionpack-ruby1.8 libactionmailer-ruby libactionmailer-ruby1.8 libactiveresource-ruby libactiveresource-ruby1.8
Architecture: source all
Version: 2.3.5-1.2+squeeze6
Distribution: stable-security
Urgency: high
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Antonio Terceiro <terceiro@debian.org>
Description: 
 libactionmailer-ruby - Framework for generation of customized email messages
 libactionmailer-ruby1.8 - Framework for generation of customized email messages
 libactionpack-ruby - Controller and View framework used by Rails
 libactionpack-ruby1.8 - Controller and View framework used by Rails
 libactiverecord-ruby - ORM database interface for ruby
 libactiverecord-ruby1.8 - ORM database interface for ruby
 libactiverecord-ruby1.9.1 - ORM database interface for ruby
 libactiveresource-ruby - Connects objects and REST web services
 libactiveresource-ruby1.8 - Connects objects and REST web services
 libactivesupport-ruby - utility classes and extensions (Ruby 1.8)
 libactivesupport-ruby1.8 - utility classes and extensions (Ruby 1.8)
 libactivesupport-ruby1.9.1 - utility classes and extensions (Ruby 1.8)
 rails      - MVC ruby based framework geared for web application development
 rails-doc  - Documentation for rails, a MVC ruby based framework
 rails-ruby1.8 - MVC ruby based framework geared for web application development
Closes: 699226
Changes: 
 rails (2.3.5-1.2+squeeze6) stable-security; urgency=high
 .
   * Team upload.
   * debian/patches/CVE-2013-0333.patch: fix vulnerability in JSON Parser that
     would allow attackers to do very nasty things (Closes: #699226).
Checksums-Sha1: 
 669369d883626d2820ea1c99e399858da4320fc0 1790 rails_2.3.5-1.2+squeeze6.dsc
 65fc44e1583f0d1c375e8b4750b008d32b17fab5 36284 rails_2.3.5-1.2+squeeze6.debian.tar.gz
 2d29def2b25c7702f6cfc9b913efef3566487e25 12418 rails_2.3.5-1.2+squeeze6_all.deb
 cfa3b0e6b70fe5e881c5c0fe94c9ce2f94c21eef 222976 rails-ruby1.8_2.3.5-1.2+squeeze6_all.deb
 a018ffd2e437dc9a64b0498513412d874780169f 909108 rails-doc_2.3.5-1.2+squeeze6_all.deb
 24f01dfd989f82b1d30073fc5925bb544dd0b809 9876 libactiverecord-ruby_2.3.5-1.2+squeeze6_all.deb
 411bf14e6af73275d7cf5946e602aba584bbad51 266022 libactiverecord-ruby1.8_2.3.5-1.2+squeeze6_all.deb
 9ea27d98b3f1e8e861592c26d5f6b9d80420caa2 266332 libactiverecord-ruby1.9.1_2.3.5-1.2+squeeze6_all.deb
 7580884322ac604f0417a331041e3615a0b49c6b 9798 libactivesupport-ruby_2.3.5-1.2+squeeze6_all.deb
 f3808ad4186db1325a80a80c1f831fc8cc0d495a 257824 libactivesupport-ruby1.8_2.3.5-1.2+squeeze6_all.deb
 60cb609beb54a4bf0b7220553da14ccb7f4c2562 257948 libactivesupport-ruby1.9.1_2.3.5-1.2+squeeze6_all.deb
 d1a64560fa72e48ee3c0106dd8374f8c8729487a 9956 libactionpack-ruby_2.3.5-1.2+squeeze6_all.deb
 fde109c33b98c090c90c888610da50c920cf72c8 321858 libactionpack-ruby1.8_2.3.5-1.2+squeeze6_all.deb
 b3ed2cd5ef5745949a7003b92e54df46e55c3e39 9888 libactionmailer-ruby_2.3.5-1.2+squeeze6_all.deb
 35b474ad87410de9253b0d2ec0c9a6fbf5645d90 32190 libactionmailer-ruby1.8_2.3.5-1.2+squeeze6_all.deb
 dd9e353e0daa4968d5dcad902fc7eb26c0f2ede8 9902 libactiveresource-ruby_2.3.5-1.2+squeeze6_all.deb
 0010088d2b57e77410d0a15e1a93c9b7eb2e7087 37310 libactiveresource-ruby1.8_2.3.5-1.2+squeeze6_all.deb
Checksums-Sha256: 
 f1828e2134c09eabb4f2380e3504f11560312fd41c22078be0a8fe0326dd3f90 1790 rails_2.3.5-1.2+squeeze6.dsc
 71e15347ccaafb7bd95b06c634b86a74bd2700904905252b1fdf67d5afd620a1 36284 rails_2.3.5-1.2+squeeze6.debian.tar.gz
 4616a8a5e90c39850f0e5b664014803304a1407949e6ca09611397a12b29e9ba 12418 rails_2.3.5-1.2+squeeze6_all.deb
 9fc27d8549649a92b1eb3d850fa642cd8840575e36fc560fdcc54199717c41a3 222976 rails-ruby1.8_2.3.5-1.2+squeeze6_all.deb
 f61678af564892997aa8c4147e298452452cfcb880a713b4541d4aed94fe64b8 909108 rails-doc_2.3.5-1.2+squeeze6_all.deb
 251aac048a8b8849b13e6eb37d899a9c315d20804e301fbf01c339dff9aab965 9876 libactiverecord-ruby_2.3.5-1.2+squeeze6_all.deb
 9035b6b1816e0da3ee3731ae1a87db66c9077b9a05e343509cf702468eea5868 266022 libactiverecord-ruby1.8_2.3.5-1.2+squeeze6_all.deb
 68bd6855e36d8cfd167d077072b86b881c8a5111d0a1216cb41a6ca6a40ac878 266332 libactiverecord-ruby1.9.1_2.3.5-1.2+squeeze6_all.deb
 7200e0d5bc461e9e70fa54ab599814255fdf8380b3524ba6b68dd116fa33710b 9798 libactivesupport-ruby_2.3.5-1.2+squeeze6_all.deb
 9d32f7d0b1dfc172f4f4fc44fbd284e6ff491d3f9a9f19109d4745fe13f77c3d 257824 libactivesupport-ruby1.8_2.3.5-1.2+squeeze6_all.deb
 d3467394f46be4e35ff529655ad517a24cca2d9dc93c24836b10d56f68a3b39b 257948 libactivesupport-ruby1.9.1_2.3.5-1.2+squeeze6_all.deb
 a8fc18a37298d6fac5b93cd72737b8e1c4deff2469bf2eabfab905e2bc907497 9956 libactionpack-ruby_2.3.5-1.2+squeeze6_all.deb
 3f7f054772c6e1f0e151fb643d10bdc5e828c475e313d670601af0987736ce1f 321858 libactionpack-ruby1.8_2.3.5-1.2+squeeze6_all.deb
 a08524683003ca7a752fb50084c09148d21f64c4f53580d80be531518527f74c 9888 libactionmailer-ruby_2.3.5-1.2+squeeze6_all.deb
 fac0653abb5421fcb7f5be6bff9cb0daee31bffbc3a096f41a70bc00974dd847 32190 libactionmailer-ruby1.8_2.3.5-1.2+squeeze6_all.deb
 ca4fec71512449ecd005c9e10652ea3b37e84ea473553f85f35eb5464f26db55 9902 libactiveresource-ruby_2.3.5-1.2+squeeze6_all.deb
 2d41162df220caf3672c88f36f86af6b4b27069e3d90c5a1bd220619a0d13fa2 37310 libactiveresource-ruby1.8_2.3.5-1.2+squeeze6_all.deb
Files: 
 8068577c87312798c61c09d706883d41 1790 ruby optional rails_2.3.5-1.2+squeeze6.dsc
 e22b75876f6978425d36caae6efe7a59 36284 ruby optional rails_2.3.5-1.2+squeeze6.debian.tar.gz
 a441c73c5408d9fc4c433eec925f1854 12418 ruby optional rails_2.3.5-1.2+squeeze6_all.deb
 6baf5268eddcc63deec9c757c1c4fea1 222976 ruby optional rails-ruby1.8_2.3.5-1.2+squeeze6_all.deb
 71ab8f1312b9741f32d6a34c42ba0057 909108 doc optional rails-doc_2.3.5-1.2+squeeze6_all.deb
 8a01048a718db846f898a8c5a08ea1aa 9876 ruby optional libactiverecord-ruby_2.3.5-1.2+squeeze6_all.deb
 025c3d702801fa132070785bac0330cb 266022 ruby optional libactiverecord-ruby1.8_2.3.5-1.2+squeeze6_all.deb
 54d1fc45fe717728f724de27b5e572c9 266332 ruby optional libactiverecord-ruby1.9.1_2.3.5-1.2+squeeze6_all.deb
 1e6500e5a249247315eaaeaa1083c5ea 9798 ruby optional libactivesupport-ruby_2.3.5-1.2+squeeze6_all.deb
 2c5a4fe7e74e02b12ad3769312a43dbd 257824 ruby optional libactivesupport-ruby1.8_2.3.5-1.2+squeeze6_all.deb
 67663d0ed8642f9691d56d0eed4c98e9 257948 ruby optional libactivesupport-ruby1.9.1_2.3.5-1.2+squeeze6_all.deb
 f88f28ff9b95652b2ac78822f7fbec96 9956 ruby optional libactionpack-ruby_2.3.5-1.2+squeeze6_all.deb
 64e91c1d23c360d47b0668a0ac4d8ac7 321858 ruby optional libactionpack-ruby1.8_2.3.5-1.2+squeeze6_all.deb
 c3a9337c69554b1f95b3086d756053b7 9888 ruby optional libactionmailer-ruby_2.3.5-1.2+squeeze6_all.deb
 62b61ad3adcf46738dd06469b32342bd 32190 ruby optional libactionmailer-ruby1.8_2.3.5-1.2+squeeze6_all.deb
 f6f18e170f565979a9f0498b84434bab 9902 ruby optional libactiveresource-ruby_2.3.5-1.2+squeeze6_all.deb
 731744f60904e193c79843c2e3b497c4 37310 ruby optional libactiveresource-ruby1.8_2.3.5-1.2+squeeze6_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAlEH2AEACgkQDOM8kQ+cso+/CgCeKs4P0kbJgRWqSxwv92gkm2yk
62QAnRWxlf/kBRj4PxObXJRWxSasI3uX
=ISKc
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Mar 2013 07:28:05 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 23:29:02 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.