Candidate: CVE-2013-0276
PublicDate: 2013-02-13 01:55:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0276
 https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/AFBKNY7VSH8
Description:
 ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x
 before 3.2.12 allows remote attackers to bypass the attr_protected
 protection mechanism and modify protected model attributes via a crafted
 request.
Ubuntu-Description: 
Notes: 
 mdeslaur> in Oneiric+, rails package is just for transition
Bugs: 
Priority: medium
Discovered-by: 
Assigned-to: 
CVSS: 

Patches_rails:
 upstream: https://groups.google.com/group/rubyonrails-security/attach/bb44b98a73ef1a06/2-3-attr_protected.patch?part=3 (2.3)
 upstream: https://groups.google.com/group/rubyonrails-security/attach/bb44b98a73ef1a06/3-0-attr_protected.patch?part=4 (3.0)
 upstream: https://groups.google.com/group/rubyonrails-security/attach/bb44b98a73ef1a06/3-1-attr_protected.patch?part=5 (3.1)
 upstream: https://groups.google.com/group/rubyonrails-security/attach/bb44b98a73ef1a06/3-2-attr_protected.patch?part=6 (3.2)
upstream_rails: released (2.3.17, 3.1.11, 3.2.12)
hardy_rails: ignored (reached end-of-life)
lucid_rails: ignored (reached end-of-life)
oneiric_rails: not-affected (contains no code)
precise_rails: not-affected (contains no code)
precise/esm_rails: DNE (precise was not-affected [contains no code])
quantal_rails: not-affected (contains no code)
raring_rails: not-affected (contains no code)
saucy_rails: not-affected (contains no code)
trusty_rails: not-affected (contains no code)
trusty/esm_rails: DNE (trusty was not-affected [contains no code])
utopic_rails: not-affected (contains no code)
vivid_rails: not-affected (contains no code)
vivid/stable-phone-overlay_rails: DNE
vivid/ubuntu-core_rails: DNE
wily_rails: not-affected (contains no code)
xenial_rails: not-affected (contains no code)
yakkety_rails: not-affected (contains no code)
zesty_rails: not-affected (contains no code)
devel_rails: not-affected (contains no code)

Patches_ruby-activerecord-2.3:
 upstream: https://groups.google.com/group/rubyonrails-security/attach/bb44b98a73ef1a06/2-3-attr_protected.patch?part=3 (2.3)
upstream_ruby-activerecord-2.3: ignored (reached end-of-life)
hardy_ruby-activerecord-2.3: DNE
lucid_ruby-activerecord-2.3: DNE
oneiric_ruby-activerecord-2.3: ignored (reached end-of-life)
precise_ruby-activerecord-2.3: ignored (reached end-of-life)
precise/esm_ruby-activerecord-2.3: DNE (precise was needed)
quantal_ruby-activerecord-2.3: ignored (reached end-of-life)
raring_ruby-activerecord-2.3: ignored (reached end-of-life)
saucy_ruby-activerecord-2.3: ignored (reached end-of-life)
trusty_ruby-activerecord-2.3: DNE
trusty/esm_ruby-activerecord-2.3: DNE
utopic_ruby-activerecord-2.3: DNE
vivid_ruby-activerecord-2.3: DNE
vivid/stable-phone-overlay_ruby-activerecord-2.3: DNE
vivid/ubuntu-core_ruby-activerecord-2.3: DNE
wily_ruby-activerecord-2.3: DNE
xenial_ruby-activerecord-2.3: DNE
yakkety_ruby-activerecord-2.3: DNE
zesty_ruby-activerecord-2.3: DNE
devel_ruby-activerecord-2.3: DNE

Patches_ruby-activerecord-3.2:
 upstream: https://groups.google.com/group/rubyonrails-security/attach/bb44b98a73ef1a06/3-2-attr_protected.patch?part=6 (3.2)
upstream_ruby-activerecord-3.2: released (3.2.12)
hardy_ruby-activerecord-3.2: DNE
lucid_ruby-activerecord-3.2: DNE
oneiric_ruby-activerecord-3.2: DNE
precise_ruby-activerecord-3.2: DNE
precise/esm_ruby-activerecord-3.2: DNE
quantal_ruby-activerecord-3.2: ignored (reached end-of-life)
raring_ruby-activerecord-3.2: ignored (reached end-of-life)
saucy_ruby-activerecord-3.2: not-affected (3.2.13-4)
trusty_ruby-activerecord-3.2: not-affected (3.2.16-1)
trusty/esm_ruby-activerecord-3.2: DNE (trusty was not-affected [3.2.16-1])
utopic_ruby-activerecord-3.2: DNE
vivid_ruby-activerecord-3.2: DNE
vivid/stable-phone-overlay_ruby-activerecord-3.2: DNE
vivid/ubuntu-core_ruby-activerecord-3.2: DNE
wily_ruby-activerecord-3.2: DNE
xenial_ruby-activerecord-3.2: DNE
yakkety_ruby-activerecord-3.2: DNE
zesty_ruby-activerecord-3.2: DNE
devel_ruby-activerecord-3.2: DNE