Security Advisory Moderate: ruby193-rubygem-actionpack security update

Advisory: RHSA-2014:0510-1
Type: Security Advisory
Severity: Moderate
Issued on: 2014-05-15
Last updated on: 2014-05-15
Affected Products: Red Hat Software Collections 1 for RHEL 6
CVEs ( CVE-2014-0130


Updated ruby193-rubygem-actionpack packages that fix one security issue are
now available for Red Hat Software Collections 1.

The Red Hat Security Response Team has rated this update as having Moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Ruby on Rails is a model-view-controller (MVC) framework for web
application development. Action Pack implements the controller and the
view components.

A directory traversal flaw was found in the way Ruby on Rails handled
wildcard segments in routes with implicit rendering. A remote attacker
could use this flaw to retrieve arbitrary local files accessible to a Ruby
on Rails application using the aforementioned routes via a specially
crafted request. (CVE-2014-0130)

All ruby193-rubygem-actionpack users are advised to upgrade to these
updated packages, which contain a backported patch to correct this issue.


Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at

Updated packages

Red Hat Software Collections 1 for RHEL 6

File outdated by:  RHBA-2014:0619
    MD5: 8fdb880fa5e71afeb7fa6495585c86b7
SHA-256: f3600419e491f65fcbd7e92f009e472e01ffce62e0245b8139819f75083f06b6
File outdated by:  RHBA-2014:0619
    MD5: 20e080056b0dd29a7d8aabfb8ced8ba5
SHA-256: 625556a6793ef86a92e558dcd219e815eee9d2adab746a43c81c13243713041f
File outdated by:  RHBA-2014:0619
    MD5: 9edc17980be73f7f26da973c15c36d3a
SHA-256: ed0df7832d13399675ebd9c31baa464cbd3f7bbcbb6e430cb0614a6b815f838f
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1095105 - CVE-2014-0130 rubygem-actionpack: directory traversal issue


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

The Red Hat security contact is More contact details at