reassign 675396 ruby-activerecord-3.2 thank you On Thu, May 31, 2012 at 10:12 PM, Henri Salo <[email protected]> wrote: > Package: rails > Severity: important > Tags: security, patch > > http://seclists.org/oss-sec/2012/q2/448 > > """ > SQL Injection Vulnerability in Ruby on Rails > > There is a SQL injection vulnerability in Active Record, version 3.0 and > later. This vulnerability has been assigned the CVE identifier CVE-2012-2661. > > Versions Affected: 3.0.0 and ALL later versions > Not affected: 2.3.14 > Fixed Versions: 3.2.4, 3.1.5, 3.0.13 > > Impact > ------ > Due to the way Active Record handles nested query parameters, an attacker can > use a specially crafted request to inject some forms of SQL into your > application's SQL queries. > > All users running an affected release should upgrade immediately. > > Impacted code directly passes request params to the `where` method of an > ActiveRecord class like this: > > Post.where(:id => params[:id]).all > > An attacker can make a request that causes `params[:id]` to return a > specially crafted hash that will cause the WHERE clause of the SQL statement > to query an arbitrary table with some value. > > Releases > -------- > The FIXED releases are available at the normal locations. > > Workarounds > ----------- > This issue can be mitigated by casting the parameter to an expected value. > For example, change this: > > Post.where(:id => params[:id]).all > > to this: > > Post.where(:id => params[:id].to_s).all > > Patches > ------- > To aid users who aren't able to upgrade immediately we have provided patches > for the two supported release series. They are in git-am format and consist > of a single changeset. We have also provided a patch for the 3.0 series > despite the fact it is unmaintained. > > * 3-0-params_sql_injection.patch - Patch for 3.0 series > * 3-1-params_sql_injection.patch - Patch for 3.1 series > * 3-2-params_sql_injection.patch - Patch for 3.2 series > > Please note that only the 3.1.x and 3.2.x series are supported at present. > Users of earlier unsupported releases are advised to upgrade as soon as > possible as we cannot guarantee the continued availability of security fixes > for unsupported releases. > > Credits > ------- > > Thanks to Ben Murphy for reporting the vulnerability to us, and to Chad Pyne > of thoughtbot for helping us verify the fix. > """ > > -- System Information: > Debian Release: 6.0.5 > APT prefers stable-updates > APT policy: (500, 'stable-updates'), (500, 'stable') > Architecture: amd64 (x86_64) > > Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: > LC_ALL set to en_US.UTF-8) > Shell: /bin/sh linked to /bin/dash > > >
-- Ondřej Surý <[email protected]> -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
