[v2.7] ruby-actionmailer: remote DoS and compromize (CVE-2013-6414 CVE-2013-6415 CVE-2013-6417)
CVE-2013-6414:
actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on
Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to
cause a denial of service (memory consumption) via a header containing
an invalid MIME type that leads to excessive caching.
•MLIST:[ruby-security-ann] 20131203 [CVE-2013-6414] Denial of
Service Vulnerability in Action View
•URL:
https://groups.google.com/forum/message/raw?msg=ruby-security-ann/A-ebV4WxzKg/KNPTbX8XAQUJ
•CONFIRM:
http://weblog.rubyonrails.org/2013/12/3/Rails\_3\_2\_16\_and\_4\_0\_2\_have\_been\_released/
•DEBIAN:DSA-2888
•URL: http://www.debian.org/security/2014/dsa-2888
•REDHAT:RHSA-2013:1794
•URL: http://rhn.redhat.com/errata/RHSA-2013-1794.html
•REDHAT:RHSA-2014:0008
•URL: http://rhn.redhat.com/errata/RHSA-2014-0008.html
•SUSE:openSUSE-SU-2013:1904
•URL: http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html
•SUSE:openSUSE-SU-2013:1906
•URL: http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html
•SUSE:openSUSE-SU-2013:1907
•URL: http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html
•SUSE:openSUSE-SU-2014:0009
•URL: http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html
CVE-2013-6415:
Cross-site scripting (XSS) vulnerability in the number_to_currency
helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby
on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to
inject arbitrary web script or HTML via the unit parameter.
•MLIST:[ruby-security-ann] 20131203 [CVE-2013-6415] XSS
Vulnerability in number_to_currency
•URL:
https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ
•CONFIRM:
http://weblog.rubyonrails.org/2013/12/3/Rails\_3\_2\_16\_and\_4\_0\_2\_have\_been\_released/
•DEBIAN:DSA-2888
•URL: http://www.debian.org/security/2014/dsa-2888
•REDHAT:RHSA-2013:1794
•URL: http://rhn.redhat.com/errata/RHSA-2013-1794.html
•REDHAT:RHSA-2014:0008
•URL: http://rhn.redhat.com/errata/RHSA-2014-0008.html
•SUSE:openSUSE-SU-2013:1904
•URL: http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html
•SUSE:openSUSE-SU-2013:1906
•URL: http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html
•SUSE:openSUSE-SU-2013:1907
•URL: http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html
•SUSE:openSUSE-SU-2014:0009
•URL: http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html
•SUSE:openSUSE-SU-2014:0019
•URL: http://lists.opensuse.org/opensuse-updates/2014-01/msg00013.html
•SUSE:openSUSE-SU-2013:1905
•URL: http://lists.opensuse.org/opensuse-updates/2013-12/msg00080.html
•SECUNIA:56093
•URL: http://secunia.com/advisories/56093
CVE-2013-6417:
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before
3.2.16 and 4.x before 4.0.2 does not properly consider differences in
parameter handling between the Active Record component and the JSON
implementation, which allows remote attackers to bypass intended
database-query restrictions and perform NULL checks or trigger missing
WHERE clauses via a crafted request that leverages (1) third-party Rack
middleware or (2) custom Rack middleware. NOTE: this vulnerability
exists because of an incomplete fix for CVE-2013-0155.
•MLIST:[ruby-security-ann] 20131203 [CVE-2013-6417] Incomplete fix
to CVE-2013-0155 (Unsafe Query Generation Risk)
•URL:
https://groups.google.com/forum/message/raw?msg=ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ
•CONFIRM:
http://weblog.rubyonrails.org/2013/12/3/Rails\_3\_2\_16\_and\_4\_0\_2\_have\_been\_released/
•DEBIAN:DSA-2888
•URL: http://www.debian.org/security/2014/dsa-2888
•REDHAT:RHSA-2013:1794
•URL: http://rhn.redhat.com/errata/RHSA-2013-1794.html
•REDHAT:RHSA-2014:0008
•URL: http://rhn.redhat.com/errata/RHSA-2014-0008.html
•SUSE:openSUSE-SU-2013:1904
•URL: http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html
•SUSE:openSUSE-SU-2013:1906
•URL: http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html
•SUSE:openSUSE-SU-2013:1907
•URL: http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html
•SUSE:openSUSE-SU-2014:0009
•URL: http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html
(from redmine: issue id 2809, created on 2014-04-03, closed on 2014-04-21)
- Relations:
- parent #2806 (closed)
- Changesets:
- Revision fd539db8 by Natanael Copa on 2014-04-21T14:39:05Z:
main/ruby-actionmailer: security upgrade to 4.0.4 (CVE-2013-6414,CVE-2013-6415,CVE-2013-6417)
fixes #2809