Skip to navigation

Security Advisory Critical: rubygem-activesupport security update

Advisory: RHSA-2013:0203-1
Type: Security Advisory
Severity: Critical
Issued on: 2013-01-29
Last updated on: 2013-01-29
Affected Products: Red Hat CloudForms
CVEs (cve.mitre.org): CVE-2013-0333

Details

An updated rubygem-activesupport package that fixes one security issue is
now available for Red Hat CloudForms.

The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Ruby on Rails is a model–view–controller (MVC) framework for web
application development. Active Support provides support and utility
classes used by the Ruby on Rails framework.

A flaw was found in the way Active Support performed the parsing of JSON
requests by translating them to YAML. A remote attacker could use this flaw
to execute arbitrary code with the privileges of a Ruby on Rails
application, perform SQL injection attacks, or bypass the authentication
using a specially-created JSON request. (CVE-2013-0333)

Red Hat would like to thank Ruby on Rails upstream for reporting this
issue. Upstream acknowledges Lawrence Pit of Mirror42 as the original
reporter.

Users of Red Hat CloudForms are advised to upgrade to this updated package,
which resolves this issue. Users of CloudForms Cloud Engine must run
"aeolus-services restart" and users of CloudForms System Engine must run
"katello-service restart" for this update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

Red Hat CloudForms

SRPMS:
katello-1.1.12.1-1.el6cf.src.rpm
File outdated by:  RHSA-2013:0547
    MD5: 51cf792f49038972d05c8c62d75ce8e0
SHA-256: 68f6867d0424b985e30159935a6dc11099f9dc4f9859d5a0a622498befc91b31
rubygem-activesupport-3.0.10-9.el6cf.src.rpm
File outdated by:  RHSA-2013:0548
    MD5: aee6a6efeadd735a0844a632c55644f8
SHA-256: 468e6359ad550dfdb595a9bb85fc0fbd579d99b50c4cd7f605f22a550fb7789c
 
x86_64:
katello-1.1.12.1-1.el6cf.noarch.rpm
File outdated by:  RHSA-2013:0547
    MD5: fed0ab555b7ee59e5ff8b39e1d53fb2f
SHA-256: d5d843cdd6b785be46ab245b85aad1500c5fc1260976b1938979018570c0e3cf
katello-all-1.1.12.1-1.el6cf.noarch.rpm
File outdated by:  RHSA-2013:0547
    MD5: 5b4363565fb7833a34f67deda025d746
SHA-256: 1e29f9f2e890757a056d547f215c8778502778e6704e7e2c492c4357130bfe24
katello-api-docs-1.1.12.1-1.el6cf.noarch.rpm
File outdated by:  RHSA-2013:0547
    MD5: f8e999a206a029597ef112f8abfe1467
SHA-256: cbcf4b850150bfffacd689e98b2f6dd5c65ac49e2d50dbf12976d5502cb902ec
katello-common-1.1.12.1-1.el6cf.noarch.rpm
File outdated by:  RHSA-2013:0547
    MD5: 978a6f55cc7ab2cf8a7ca4cba217b343
SHA-256: e9c42493c93c3c85944bd1aad6fae37f7e6d7a137df2da528af0c377c84618ae
katello-glue-candlepin-1.1.12.1-1.el6cf.noarch.rpm
File outdated by:  RHSA-2013:0547
    MD5: 9087c640a026b20f35f1eb1a98535eed
SHA-256: 073b2b599bab9a8fd24d17538e04b27545bcd4d34235eb94ee89debdc6f3d3df
katello-glue-pulp-1.1.12.1-1.el6cf.noarch.rpm
File outdated by:  RHSA-2013:0547
    MD5: 83b78d503f1596e144ea2cd7cba19b69
SHA-256: e53ff7cab2e0b0b198873cf89ce6203dd5189b1e90038a89f593e2ef13e2f54f
rubygem-activesupport-3.0.10-9.el6cf.noarch.rpm
File outdated by:  RHSA-2013:0548
    MD5: cda83931349754b7ae4b3f59f9ef0846
SHA-256: 78911dbb43c4a04839da67ee2595eb45befc1394fb28766184c8ed91316409dc
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

903440 - CVE-2013-0333 rubygem-activesupport: json to yaml parsing


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/