Candidate: CVE-2012-2694
PublicDate: 2012-06-22 14:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2694
 https://groups.google.com/group/rubyonrails-security/msg/e2d3a87f2c211def?dmode=source&output=gplain
Description:
 actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before
 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly
 consider differences in parameter handling between the Active Record
 component and the Rack interface, which allows remote attackers to bypass
 intended database-query restrictions and perform NULL checks via a crafted
 request, as demonstrated by certain "['xyz', nil]" values, a related issue
 to CVE-2012-2660.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675429
Priority: medium
Discovered-by:
Assigned-to:
CVSS: 

Patches_ruby-activerecord-3.2:
upstream_ruby-activerecord-3.2: released (3.2.6-1)
hardy_ruby-activerecord-3.2: DNE
lucid_ruby-activerecord-3.2: DNE
natty_ruby-activerecord-3.2: DNE
oneiric_ruby-activerecord-3.2: DNE
precise_ruby-activerecord-3.2: DNE
devel_ruby-activerecord-3.2: not-affected (3.2.6-1)