Your message dated Sat, 12 Jan 2013 15:47:05 +0000
with message-id <[email protected]>
and subject line Bug#697722: fixed in rails 2.3.5-1.2+squeeze4.1
has caused the Debian Bug report #697722,
regarding rails: CVE-2013-0156: Multiple vulnerabilities in parameter parsing 
in Action Pack
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
697722: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697722
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: rails
Version: 2:2.3.14.2
Severity: grave
Tags: security

http://www.openwall.com/lists/oss-security/2013/01/08/14
https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion

"""
Multiple vulnerabilities in parameter parsing in Action Pack 

There are multiple weaknesses in the parameter parsing code for Ruby on Rails 
which allows attackers to bypass authentication systems, inject arbitrary SQL, 
inject and execute arbitrary code, or perform a DoS attack on a Rails 
application. This vulnerability has been assigned the CVE identifier 
CVE-2013-0156. 

Versions Affected:  ALL versions 
Not affected:       NONE 
Fixed Versions:     3.2.11, 3.1.10, 3.0.19, 2.3.15 
<snip>
"""

This probably affects squeeze and wheezy too. Please contact me in case you 
need any help!

- Henri Salo

--- End Message ---
--- Begin Message ---
Source: rails
Source-Version: 2.3.5-1.2+squeeze4.1

We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antoine Beaupré <[email protected]> (supplier of updated rails package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 09 Jan 2013 12:31:47 -0500
Source: rails
Binary: rails rails-ruby1.8 rails-doc libactiverecord-ruby 
libactiverecord-ruby1.8 libactiverecord-ruby1.9.1 libactivesupport-ruby 
libactivesupport-ruby1.8 libactivesupport-ruby1.9.1 libactionpack-ruby 
libactionpack-ruby1.8 libactionmailer-ruby libactionmailer-ruby1.8 
libactiveresource-ruby libactiveresource-ruby1.8
Architecture: source all
Version: 2.3.5-1.2+squeeze4.1
Distribution: stable-security
Urgency: high
Maintainer: Debian Ruby Extras Maintainers 
<[email protected]>
Changed-By: Antoine Beaupré <[email protected]>
Description: 
 libactionmailer-ruby - Framework for generation of customized email messages
 libactionmailer-ruby1.8 - Framework for generation of customized email messages
 libactionpack-ruby - Controller and View framework used by Rails
 libactionpack-ruby1.8 - Controller and View framework used by Rails
 libactiverecord-ruby - ORM database interface for ruby
 libactiverecord-ruby1.8 - ORM database interface for ruby
 libactiverecord-ruby1.9.1 - ORM database interface for ruby
 libactiveresource-ruby - Connects objects and REST web services
 libactiveresource-ruby1.8 - Connects objects and REST web services
 libactivesupport-ruby - utility classes and extensions (Ruby 1.8)
 libactivesupport-ruby1.8 - utility classes and extensions (Ruby 1.8)
 libactivesupport-ruby1.9.1 - utility classes and extensions (Ruby 1.8)
 rails      - MVC ruby based framework geared for web application development
 rails-doc  - Documentation for rails, a MVC ruby based framework
 rails-ruby1.8 - MVC ruby based framework geared for web application development
Closes: 697722
Changes: 
 rails (2.3.5-1.2+squeeze4.1) stable-security; urgency=high
 .
   * Non-maintainer upload.
   * debian/patches/CVE-2013-0156.patch: fix remote execution (Closes: #697722)
Checksums-Sha1: 
 9e81e7c7095bf82907a9567f302793648fb70aba 2438 rails_2.3.5-1.2+squeeze4.1.dsc
 6a2e7be45e12a81a5af84c4912c51f0b9a9ecacd 28105 
rails_2.3.5-1.2+squeeze4.1.debian.tar.gz
 4b2aa65aca7b1fb08173edb906173867733e04f5 12282 
rails_2.3.5-1.2+squeeze4.1_all.deb
 5fae39f096d9c618ab2ab13a9e2866b1bd039e24 221760 
rails-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
 c1968f5aab7f996f5c477fdef5367159fbca2031 891848 
rails-doc_2.3.5-1.2+squeeze4.1_all.deb
 13a0d35eb36d9e61489245f3c351c0373639957b 9734 
libactiverecord-ruby_2.3.5-1.2+squeeze4.1_all.deb
 b29e26881e3094fc84f4f2c4a6d04564a291d0bf 266430 
libactiverecord-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
 6ed98652310d6c10aabbb84059f8d418fafa7049 265238 
libactiverecord-ruby1.9.1_2.3.5-1.2+squeeze4.1_all.deb
 110141c940b20db8de94f84bb00a9faa4deda371 9656 
libactivesupport-ruby_2.3.5-1.2+squeeze4.1_all.deb
 e4b2f0c972a8d72dfe552a4ec86d0206279d9bc9 260700 
libactivesupport-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
 1a71d6012a85ad802ec4b5d226db3e39a60fd2a9 260512 
libactivesupport-ruby1.9.1_2.3.5-1.2+squeeze4.1_all.deb
 229eea266e7026d4870aa53aa3a32809bff07e57 9794 
libactionpack-ruby_2.3.5-1.2+squeeze4.1_all.deb
 7ee43077b192d9ed16ee7b02dadc73cab66fc2bf 320106 
libactionpack-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
 49cc438f4240bbaebfc41410a928f9e0654dd387 9760 
libactionmailer-ruby_2.3.5-1.2+squeeze4.1_all.deb
 c0dd8259b5fdc1abe60d9f1f752448ec253cdd34 32032 
libactionmailer-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
 0b9a5f19b984b901e80f27a6608bfa6dd333939e 9776 
libactiveresource-ruby_2.3.5-1.2+squeeze4.1_all.deb
 91e9c29e240dfaa83072fda7674da2bd36352095 37144 
libactiveresource-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
Checksums-Sha256: 
 51aa6f0ffb4140143a72111ee83898137bb402ddabb48c77bee63f4a201687b7 2438 
rails_2.3.5-1.2+squeeze4.1.dsc
 8ae9b7341963cc3a349a9cd5216da17934fc23355a1f8d411387ac513e6f896b 28105 
rails_2.3.5-1.2+squeeze4.1.debian.tar.gz
 38b5c73b041416df63f7799faf0b9e1ed940a9297545a62f1cbba07fac6b4a45 12282 
rails_2.3.5-1.2+squeeze4.1_all.deb
 6fa665e3b8db2f33a6e55b306c5b9f6f833b4e4de26d4efcac8814d279f5d20a 221760 
rails-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
 1805567830fd55132a5d10d29624269f13583aaedb97ade75a62adfc2a77f643 891848 
rails-doc_2.3.5-1.2+squeeze4.1_all.deb
 323feacdef1b0d0b5eee342ba0a5bef192560482123f27a970b5289ab3d2b96d 9734 
libactiverecord-ruby_2.3.5-1.2+squeeze4.1_all.deb
 dcc16ce4b37abbd3c4bbb41b864bbcbff4e20b3759117fbbc989a0108e12a02d 266430 
libactiverecord-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
 f2a6fc1c93591720460e00913797e5ad2584772cdfa1d6fe2d4c0fc3d5c23b58 265238 
libactiverecord-ruby1.9.1_2.3.5-1.2+squeeze4.1_all.deb
 cc9e6c6ab3bad6668fb4a5b9abbad0ee785ec468d07ac78d90b035a96c21bd22 9656 
libactivesupport-ruby_2.3.5-1.2+squeeze4.1_all.deb
 85f8ad488c9639e33b47cdec98c3348607fafa94153933b2667a60d5f1a9a6b3 260700 
libactivesupport-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
 020091d236e6a5960fa581078a8d17977701c8c70454ea5d1283f901d40b8ae8 260512 
libactivesupport-ruby1.9.1_2.3.5-1.2+squeeze4.1_all.deb
 cc4b7ea14025e56fcaf41780af821a698164ff213b649b5bd66ab77ceac4645c 9794 
libactionpack-ruby_2.3.5-1.2+squeeze4.1_all.deb
 f337de0b12129ba1cea113413aebbcec25600731b165d7c208ac2c1549cdee53 320106 
libactionpack-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
 a0036cd6c504f962a41e36ec1ef7ff4742accf4c7eb4328c7b4db43b74e80355 9760 
libactionmailer-ruby_2.3.5-1.2+squeeze4.1_all.deb
 968f586f119a5722722f253b6a1b21c7848cbbbadb1eeb38b6bd2d95bd51d9ae 32032 
libactionmailer-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
 36ea0bb2d94382abedbbf48bd522d8cbd9933e68f16b8b9f4b655f0ee6b72b9e 9776 
libactiveresource-ruby_2.3.5-1.2+squeeze4.1_all.deb
 f9011184c1baa98ed7c41370f06caf81f17a84551204ed6b180429348fa6ce5f 37144 
libactiveresource-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
Files: 
 09f7cbd2b86cfafab5b75e15ee146e59 2438 ruby optional 
rails_2.3.5-1.2+squeeze4.1.dsc
 5920d8423b094dd587eb6380a1e100b1 28105 ruby optional 
rails_2.3.5-1.2+squeeze4.1.debian.tar.gz
 c38a3797f7b343bede1fb88a0bdf6010 12282 ruby optional 
rails_2.3.5-1.2+squeeze4.1_all.deb
 2983384cf065ab13ba6487bf153bdba5 221760 ruby optional 
rails-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
 efcb7c98db6fab7f72d00956f834039f 891848 doc optional 
rails-doc_2.3.5-1.2+squeeze4.1_all.deb
 4e91bae9b089c805a577b31dafacd369 9734 ruby optional 
libactiverecord-ruby_2.3.5-1.2+squeeze4.1_all.deb
 7ded3445ea7024f69e81695b80ecfe0b 266430 ruby optional 
libactiverecord-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
 c7b41daba154cc104ea56e132b4f16da 265238 ruby optional 
libactiverecord-ruby1.9.1_2.3.5-1.2+squeeze4.1_all.deb
 b635cdabe00560107dcb22f75fc67519 9656 ruby optional 
libactivesupport-ruby_2.3.5-1.2+squeeze4.1_all.deb
 1894f46ac5251005fbb863730c8cf1c4 260700 ruby optional 
libactivesupport-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
 180aea7baa5276aec07411c8094b9770 260512 ruby optional 
libactivesupport-ruby1.9.1_2.3.5-1.2+squeeze4.1_all.deb
 7cf2e53185fea2799a6a31316e9b71f5 9794 ruby optional 
libactionpack-ruby_2.3.5-1.2+squeeze4.1_all.deb
 001de800e01b3108f9c37383ae7c7aa0 320106 ruby optional 
libactionpack-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
 3adb325d1deb8b4dc2da2ead9b336a04 9760 ruby optional 
libactionmailer-ruby_2.3.5-1.2+squeeze4.1_all.deb
 691a33a56107136da23524a0f954fa00 32032 ruby optional 
libactionmailer-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
 608df23322c5069eaf94a9e1f29090bb 9776 ruby optional 
libactiveresource-ruby_2.3.5-1.2+squeeze4.1_all.deb
 5367c45eda081f3764fda66cb62d049a 37144 ruby optional 
libactiveresource-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQ7a7CAAoJEHkhUlJ7dZIe+KYQAKj+BhhbZ0ASVlemWV4BiI41
64Pqqy6hsGY8CObQFIJuHnuvXE4RZDSqO9OV+DziLVnIPuR93ssG8EPmmHqb3ksk
0QCrYw7uBLJDVssC8h8zM8FVxPzqwwUQQV/CgGcnk6iu1AkD+TQpDEcV19i0hmFn
RLAWbgoW+e5PoKevNTTUDIABDDBKaFjBj+CCYLX4w9LaPFUOqVW1LbEVhndDkbvK
25nr+rFvs6LdfiVlxdpz3z3csBDdQniBYpazAyyriEooZXY/SjauMTuuiidhr9hV
URc8L/PQ8wpCT8YzFAkcsI62TpSrG4P3bRpGooyByWn4/nkCWYRjpDzonZLubw4+
qbGsxZ/4e4ZifSBoNNYlLeaqrHZjHBWyls7XfVJrH5HK/dMW8AKBQs2T+JAVWMQr
VZefbvMhfEfipB7sVJKCOfjDlVhhzQjL+lmXUPCF2oB8XqKsLc4/X/eVGHPRLsSa
oMMAUexIhCWRsAu8DNE3/j5WxlsVCuNvPpz2puc5auzc15T+KZnxdBz8EQJgPlyK
dewNRhSsc3tVBWbii8wYnoFIzJzorHLy9MSgc4EeQFo2G5wAQwDiJx4AFUHRcn9Y
wpLwI6DApru3bZi/Nu0e4HXKLYoUaJEsbVP0M2GPsSlCYuV9haheisbZJiNHPPK1
Qf60vtJAw52EjmwaOyHf
=SzA2
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to