Skip to navigation

Security Advisory Critical: Ruby on Rails security update

Advisory: RHSA-2013:0153-1
Type: Security Advisory
Severity: Critical
Issued on: 2013-01-10
Last updated on: 2013-01-10
Affected Products: Red Hat OpenShift Enterprise 1
CVEs (cve.mitre.org): CVE-2013-0156

Details

Updated rubygem-actionpack, rubygem-activesupport,
ruby193-rubygem-actionpack, and ruby193-rubygem-activesupport packages that
fix multiple security issues are now available for Red Hat OpenShift
Enterprise 1.0.

The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Ruby on Rails is a model–view–controller (MVC) framework for web
application development. Action Pack implements the controller and the view
components. Active Support provides support and utility classes used by the
Ruby on Rails framework.

Multiple flaws were found in the way Ruby on Rails performed XML parameter
parsing in HTTP requests. A remote attacker could use these flaws to
execute arbitrary code with the privileges of a Ruby on Rails application,
perform SQL injection attacks, or bypass the authentication using a
specially-created HTTP request. (CVE-2013-0156)

Red Hat is aware that a public exploit for the CVE-2013-0156 issues is
available that allows remote code execution in applications using Ruby on
Rails.

All users of Red Hat OpenShift Enterprise are advised to upgrade to these
updated packages, which correct these issues. For Red Hat OpenShift
Enterprise administrators, the openshift-broker and openshift-console
services must be restarted for this update to take effect. Users of
OpenShift are advised to update their own applications that are running
Ruby on Rails.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

Red Hat OpenShift Enterprise 1

SRPMS:
ruby193-rubygem-actionpack-3.2.8-2.el6.src.rpm
File outdated by:  RHSA-2013:0698
    MD5: b56b9d4f9c6cd12ee75f8c72b5432ee3
SHA-256: 710c2add612bc0fd8b364f75e2fc2c6e4e940e53c3e43ce9ad934cea50c2166b
ruby193-rubygem-activesupport-3.2.8-3.el6.src.rpm
File outdated by:  RHSA-2013:0728
    MD5: 7b1daab9f709df12fb787532b90616c5
SHA-256: df17a0d7f9329ca736afc397941744eaccefc8ed0fa5d69fd4dbe141734c06e8
rubygem-actionpack-3.0.13-2.1.el6op.src.rpm
File outdated by:  RHSA-2013:0698
    MD5: 92ddc8e96b22b850d2c384a33af34bb4
SHA-256: fda45270d919337bd735ed67e23aec17dc45b83e3175e5c2d4a172341441096f
rubygem-activesupport-3.0.13-2.el6op.src.rpm
File outdated by:  RHSA-2013:0202
    MD5: b9b430c269ec7ec94d46f5d677964f85
SHA-256: 33cfd678893075abf778a52fbd797c2457ed7d93a04c037e4219270ff0af1575
 
x86_64:
ruby193-rubygem-actionpack-3.2.8-2.el6.noarch.rpm
File outdated by:  RHSA-2013:0698
    MD5: e6bb22691f1e1959c4dcd8eded25d1cf
SHA-256: da4cd24ed2e2ee00492782e95efa8059611d52e440f82b265dd3a42d6d9808c5
ruby193-rubygem-actionpack-doc-3.2.8-2.el6.noarch.rpm
File outdated by:  RHSA-2013:0698
    MD5: 780cf77d81c47225ef3f434beab2a22d
SHA-256: 6c054b0ed15861c744a86af0e7fedaaef48c2bc340de4c12888cdf36f2adf4e1
ruby193-rubygem-activesupport-3.2.8-3.el6.noarch.rpm
File outdated by:  RHSA-2013:0728
    MD5: b4e0b1dd9da2728e2eee8d916b33f319
SHA-256: 80b6e324506a6c0ab6cd4f4a82eccdc33156bf5fee67820dc09a6346fccba0de
rubygem-actionpack-3.0.13-2.1.el6op.noarch.rpm
File outdated by:  RHSA-2013:0698
    MD5: 4874b94cdf3668e1bacc25378e136edb
SHA-256: add56b302964ae868e67acb9160998ea4e097205aa901e2a9986fb10f9f92d4a
rubygem-activesupport-3.0.13-2.el6op.noarch.rpm
File outdated by:  RHSA-2013:0202
    MD5: ddf77565fe59c638f89cca29926b78dd
SHA-256: fc3d3bc0176debe97d035d0d0c7bd103d7e7b2f460c5a7a10450e5212467e139
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

892870 - CVE-2013-0156 rubygem-activesupport: Multiple vulnerabilities in parameter parsing in ActionPack


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/