Your message dated Sun, 17 Jun 2012 00:20:42 +0000
with message-id <[email protected]>
and subject line Bug#675396: fixed in ruby-activerecord-3.2 3.2.6-1
has caused the Debian Bug report #675396,
regarding rails: CVE-2012-2661 SQL-injection vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
675396: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675396
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: rails
Severity: important
Tags: security, patch
http://seclists.org/oss-sec/2012/q2/448
"""
SQL Injection Vulnerability in Ruby on Rails
There is a SQL injection vulnerability in Active Record, version 3.0 and later.
This vulnerability has been assigned the CVE identifier CVE-2012-2661.
Versions Affected: 3.0.0 and ALL later versions
Not affected: 2.3.14
Fixed Versions: 3.2.4, 3.1.5, 3.0.13
Impact
------
Due to the way Active Record handles nested query parameters, an attacker can
use a specially crafted request to inject some forms of SQL into your
application's SQL queries.
All users running an affected release should upgrade immediately.
Impacted code directly passes request params to the `where` method of an
ActiveRecord class like this:
Post.where(:id => params[:id]).all
An attacker can make a request that causes `params[:id]` to return a specially
crafted hash that will cause the WHERE clause of the SQL statement to query an
arbitrary table with some value.
Releases
--------
The FIXED releases are available at the normal locations.
Workarounds
-----------
This issue can be mitigated by casting the parameter to an expected value. For
example, change this:
Post.where(:id => params[:id]).all
to this:
Post.where(:id => params[:id].to_s).all
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches
for the two supported release series. They are in git-am format and consist of
a single changeset. We have also provided a patch for the 3.0 series despite
the fact it is unmaintained.
* 3-0-params_sql_injection.patch - Patch for 3.0 series
* 3-1-params_sql_injection.patch - Patch for 3.1 series
* 3-2-params_sql_injection.patch - Patch for 3.2 series
Please note that only the 3.1.x and 3.2.x series are supported at present.
Users of earlier unsupported releases are advised to upgrade as soon as
possible as we cannot guarantee the continued availability of security fixes
for unsupported releases.
Credits
-------
Thanks to Ben Murphy for reporting the vulnerability to us, and to Chad Pyne of
thoughtbot for helping us verify the fix.
"""
-- System Information:
Debian Release: 6.0.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---
Source: ruby-activerecord-3.2
Source-Version: 3.2.6-1
We believe that the bug you reported is fixed in the latest version of
ruby-activerecord-3.2, which is due to be installed in the Debian FTP archive:
ruby-activerecord-3.2_3.2.6-1.debian.tar.gz
to main/r/ruby-activerecord-3.2/ruby-activerecord-3.2_3.2.6-1.debian.tar.gz
ruby-activerecord-3.2_3.2.6-1.dsc
to main/r/ruby-activerecord-3.2/ruby-activerecord-3.2_3.2.6-1.dsc
ruby-activerecord-3.2_3.2.6-1_all.deb
to main/r/ruby-activerecord-3.2/ruby-activerecord-3.2_3.2.6-1_all.deb
ruby-activerecord-3.2_3.2.6.orig.tar.gz
to main/r/ruby-activerecord-3.2/ruby-activerecord-3.2_3.2.6.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Antonio Terceiro <[email protected]> (supplier of updated
ruby-activerecord-3.2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 16 Jun 2012 20:58:15 -0300
Source: ruby-activerecord-3.2
Binary: ruby-activerecord-3.2
Architecture: source all
Version: 3.2.6-1
Distribution: unstable
Urgency: low
Maintainer: Debian Ruby Extras Maintainers
<[email protected]>
Changed-By: Antonio Terceiro <[email protected]>
Description:
ruby-activerecord-3.2 - object-relational mapper framework (part of Rails)
Closes: 675396 675429
Changes:
ruby-activerecord-3.2 (3.2.6-1) unstable; urgency=low
.
* New upstream release. Fixes the following security problems:
+ CVE-2012-2695
+ CVE-2012-2660 (Closes: #675429)
+ CVE-2012-2661 (Closes: #675396)
* debian/control:
+ Add myself to Uploaders:
+ Conflicty with ruby-activerecord-2.3
+ Review short description
* debian/patches/Remove_rubygems_dependency.patch: do not require database
adapters to be installed via Rubygems.
Checksums-Sha1:
bdae91bb2c992d8427a08ef0f6852c351d9d04a4 1681 ruby-activerecord-3.2_3.2.6-1.dsc
d094533d81c5c05ff57a3ad60370a51120c48161 388542
ruby-activerecord-3.2_3.2.6.orig.tar.gz
ac06d9cea429e035de515d1e3265f66d76f5e175 3201
ruby-activerecord-3.2_3.2.6-1.debian.tar.gz
d8cbfb16718a269c06890b7c0208f666a682a526 391234
ruby-activerecord-3.2_3.2.6-1_all.deb
Checksums-Sha256:
c35bf868740e055e23b7a19224924a930f93a3cc10f1dfb20fc8451511d6ee5c 1681
ruby-activerecord-3.2_3.2.6-1.dsc
42b454aa45d940369f5baf2ad245e741c075bb81e688f603c82d65b893bdff8b 388542
ruby-activerecord-3.2_3.2.6.orig.tar.gz
d1b639d14584f7a4460c71af3b4f662b74d42481b16b719359e4ee3f5a86b25c 3201
ruby-activerecord-3.2_3.2.6-1.debian.tar.gz
3e5c0fe7dd489811591ca7222957a1c9e4810e61380568e7d943e836ecc0bba4 391234
ruby-activerecord-3.2_3.2.6-1_all.deb
Files:
02dd79518ae747268edc52e2276afd7b 1681 ruby optional
ruby-activerecord-3.2_3.2.6-1.dsc
cfcceb44e4f7a66bcbb7982e733738b4 388542 ruby optional
ruby-activerecord-3.2_3.2.6.orig.tar.gz
a13c0e3a7b126773cf969c9e0ca0fcef 3201 ruby optional
ruby-activerecord-3.2_3.2.6-1.debian.tar.gz
62cd46e3f2c6f2f4c88bb123a9c44abf 391234 ruby optional
ruby-activerecord-3.2_3.2.6-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAk/dHdgACgkQDOM8kQ+cso9gBQCfb+bJx9gh9IaBb33JP3EJ2ur4
BwIAnR4KxLNP70m6ei5FQGqD2qjNlLV6
=11PY
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
