Candidate: CVE-2013-0155 PublicDate: 2013-01-13 22:55:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0155 http://www.openwall.com/lists/oss-security/2013/01/08/13 Description: Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694. Ubuntu-Description: Notes: mdeslaur> in Oneiric+, rails package is just for transition jdstrand> vulnerabilities are in ruby-actionpack* and ruby-activerecord* in Ubuntu 11.10 and higher jdstrand> per Debian, ruby-actionpack-2.3 not-affected (only ruby-activerecord-2.3) Bugs: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697744 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697802 https://bugs.launchpad.net/bugs/1100188 Priority: high Discovered-by: Assigned-to: CVSS: Patches_rails: vendor: http://www.debian.org/security/2013/dsa-2609 upstream_rails: needs-triage hardy_rails: ignored (reached end-of-life) lucid_rails: ignored (reached end-of-life) oneiric_rails: not-affected (contains no code) precise_rails: not-affected (contains no code) quantal_rails: not-affected (contains no code) raring_rails: not-affected (contains no code) saucy_rails: not-affected (contains no code) devel_rails: not-affected (contains no code) Patches_ruby-actionpack-2.3: upstream_ruby-actionpack-2.3: needs-triage hardy_ruby-actionpack-2.3: DNE lucid_ruby-actionpack-2.3: DNE oneiric_ruby-actionpack-2.3: not-affected precise_ruby-actionpack-2.3: not-affected quantal_ruby-actionpack-2.3: not-affected raring_ruby-actionpack-2.3: not-affected saucy_ruby-actionpack-2.3: not-affected devel_ruby-actionpack-2.3: not-affected Patches_ruby-activerecord-2.3: upstream_ruby-activerecord-2.3: released (2.3.14-4) hardy_ruby-activerecord-2.3: DNE lucid_ruby-activerecord-2.3: DNE oneiric_ruby-activerecord-2.3: released (2.3.14-1ubuntu0.11.10.1) precise_ruby-activerecord-2.3: released (2.3.14-1ubuntu0.12.04.1) quantal_ruby-activerecord-2.3: released (2.3.14-2ubuntu0.1) raring_ruby-activerecord-2.3: released (2.3.14-4) saucy_ruby-activerecord-2.3: released (2.3.14-4) devel_ruby-activerecord-2.3: released (2.3.14-4) Patches_ruby-actionpack-3.2: upstream_ruby-actionpack-3.2: released (3.2.6-5) hardy_ruby-actionpack-3.2: DNE lucid_ruby-actionpack-3.2: DNE oneiric_ruby-actionpack-3.2: DNE precise_ruby-actionpack-3.2: DNE quantal_ruby-actionpack-3.2: released (3.2.6-4ubuntu0.1) raring_ruby-actionpack-3.2: not-affected (3.2.6-5) saucy_ruby-actionpack-3.2: not-affected (3.2.6-5) devel_ruby-actionpack-3.2: not-affected (3.2.6-5) Patches_ruby-activerecord-3.2: upstream_ruby-activerecord-3.2: released (3.2.6-4) hardy_ruby-activerecord-3.2: DNE lucid_ruby-activerecord-3.2: DNE oneiric_ruby-activerecord-3.2: DNE precise_ruby-activerecord-3.2: DNE quantal_ruby-activerecord-3.2: released (3.2.6-2ubuntu0.1) raring_ruby-activerecord-3.2: not-affected (3.2.6-4) saucy_ruby-activerecord-3.2: not-affected (3.2.6-4) devel_ruby-activerecord-3.2: not-affected (3.2.6-4)