Candidate: CVE-2013-0277
PublicDate: 2013-02-13 01:55:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0277
 https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/KtmwSbEpzrU
Description:
 ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows
 remote attackers to cause a denial of service or execute arbitrary code via
 crafted serialized attributes that cause the +serialize+ helper to
 deserialize arbitrary YAML.
Ubuntu-Description: 
Notes: 
 mdeslaur> in Oneiric+, rails package is just for transition
Bugs: 
Priority: medium
Discovered-by: Tobias Kraze
Assigned-to: 
CVSS: 

Patches_rails:
 upstream: https://groups.google.com/group/rubyonrails-security/attach/302ec7ce90f13837/2-3-serialize.patch?part=3 (2.3)
 upstream: https://groups.google.com/group/rubyonrails-security/attach/302ec7ce90f13837/3-0-serialize.patch?part=4 (3.0)
upstream_rails: released (2.3.17, 3.1.0)
hardy_rails: ignored (reached end-of-life)
lucid_rails: ignored (reached end-of-life)
oneiric_rails: not-affected (contains no code)
precise_rails: not-affected (contains no code)
precise/esm_rails: DNE (precise was not-affected [contains no code])
quantal_rails: not-affected (contains no code)
raring_rails: not-affected (contains no code)
saucy_rails: not-affected (contains no code)
trusty_rails: not-affected (contains no code)
trusty/esm_rails: DNE (trusty was not-affected [contains no code])
utopic_rails: not-affected (contains no code)
vivid_rails: not-affected (contains no code)
vivid/stable-phone-overlay_rails: DNE
vivid/ubuntu-core_rails: DNE
wily_rails: not-affected (contains no code)
xenial_rails: not-affected (contains no code)
yakkety_rails: not-affected (contains no code)
zesty_rails: not-affected (contains no code)
devel_rails: not-affected (contains no code)

Patches_ruby-activerecord-2.3:
 upstream: https://groups.google.com/group/rubyonrails-security/attach/302ec7ce90f13837/2-3-serialize.patch?part=3 (2.3)
upstream_ruby-activerecord-2.3: ignored (reached end-of-life)
hardy_ruby-activerecord-2.3: DNE
lucid_ruby-activerecord-2.3: DNE
oneiric_ruby-activerecord-2.3: ignored (reached end-of-life)
precise_ruby-activerecord-2.3: ignored (reached end-of-life)
precise/esm_ruby-activerecord-2.3: DNE (precise was needed)
quantal_ruby-activerecord-2.3: ignored (reached end-of-life)
raring_ruby-activerecord-2.3: ignored (reached end-of-life)
saucy_ruby-activerecord-2.3: ignored (reached end-of-life)
trusty_ruby-activerecord-2.3: DNE
trusty/esm_ruby-activerecord-2.3: DNE
utopic_ruby-activerecord-2.3: DNE
vivid_ruby-activerecord-2.3: DNE
vivid/stable-phone-overlay_ruby-activerecord-2.3: DNE
vivid/ubuntu-core_ruby-activerecord-2.3: DNE
wily_ruby-activerecord-2.3: DNE
xenial_ruby-activerecord-2.3: DNE
yakkety_ruby-activerecord-2.3: DNE
zesty_ruby-activerecord-2.3: DNE
devel_ruby-activerecord-2.3: DNE

Patches_ruby-activerecord-3.2:
upstream_ruby-activerecord-3.2: not-affected
hardy_ruby-activerecord-3.2: DNE
lucid_ruby-activerecord-3.2: DNE
oneiric_ruby-activerecord-3.2: DNE
precise_ruby-activerecord-3.2: DNE
precise/esm_ruby-activerecord-3.2: DNE
quantal_ruby-activerecord-3.2: not-affected
raring_ruby-activerecord-3.2: not-affected
saucy_ruby-activerecord-3.2: not-affected
trusty_ruby-activerecord-3.2: not-affected
trusty/esm_ruby-activerecord-3.2: DNE (trusty was not-affected)
utopic_ruby-activerecord-3.2: DNE
vivid_ruby-activerecord-3.2: DNE
vivid/stable-phone-overlay_ruby-activerecord-3.2: DNE
vivid/ubuntu-core_ruby-activerecord-3.2: DNE
wily_ruby-activerecord-3.2: DNE
xenial_ruby-activerecord-3.2: DNE
yakkety_ruby-activerecord-3.2: DNE
zesty_ruby-activerecord-3.2: DNE
devel_ruby-activerecord-3.2: DNE