Candidate: CVE-2013-1856
PublicDate: 2013-03-19 22:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1856
 https://groups.google.com/group/rubyonrails-security/msg/6c2482d4ed1545e6?dmode=source&output=gplain
Description:
 The ActiveSupport::XmlMini_JDOM backend in
 lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby
 on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby
 is used, does not properly restrict the capabilities of the XML parser,
 which allows remote attackers to read arbitrary files or cause a denial of
 service (resource consumption) via vectors involving (1) an external DTD or
 (2) an external entity declaration in conjunction with an entity reference.
Ubuntu-Description:
Notes:
 mdeslaur> in Oneiric+, rails package is just for transition
 jdstrand> per upstream, rails 2.3 not affected
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703350
Priority: medium
Discovered-by:
Assigned-to:
CVSS: 

Patches_rails:
upstream_rails: needs-triage
hardy_rails: ignored (reached end-of-life)
lucid_rails: ignored (reached end-of-life)
oneiric_rails: not-affected (contains no code)
precise_rails: not-affected (contains no code)
precise/esm_rails: DNE (precise was not-affected [contains no code])
quantal_rails: not-affected (contains no code)
raring_rails: not-affected (contains no code)
saucy_rails: not-affected (contains no code)
trusty_rails: not-affected (contains no code)
trusty/esm_rails: DNE (trusty was not-affected [contains no code])
utopic_rails: not-affected (contains no code)
vivid_rails: not-affected (contains no code)
vivid/stable-phone-overlay_rails: DNE
vivid/ubuntu-core_rails: DNE
wily_rails: not-affected (contains no code)
xenial_rails: not-affected (contains no code)
yakkety_rails: not-affected (contains no code)
zesty_rails: not-affected (contains no code)
artful_rails: not-affected (contains no code)
bionic_rails: not-affected (contains no code)
cosmic_rails: not-affected (contains no code)
devel_rails: not-affected (contains no code)

Patches_ruby-rails-2.3:
upstream_ruby-rails-2.3: ignored (reached end-of-life)
hardy_ruby-rails-2.3: DNE
lucid_ruby-rails-2.3: DNE
oneiric_ruby-rails-2.3: not-affected
precise_ruby-rails-2.3: not-affected
precise/esm_ruby-rails-2.3: DNE (precise was not-affected)
quantal_ruby-rails-2.3: not-affected
raring_ruby-rails-2.3: not-affected
saucy_ruby-rails-2.3: not-affected
trusty_ruby-rails-2.3: DNE
trusty/esm_ruby-rails-2.3: DNE
utopic_ruby-rails-2.3: DNE
vivid_ruby-rails-2.3: DNE
vivid/stable-phone-overlay_ruby-rails-2.3: DNE
vivid/ubuntu-core_ruby-rails-2.3: DNE
wily_ruby-rails-2.3: DNE
xenial_ruby-rails-2.3: DNE
yakkety_ruby-rails-2.3: DNE
zesty_ruby-rails-2.3: DNE
artful_ruby-rails-2.3: DNE
bionic_ruby-rails-2.3: DNE
cosmic_ruby-rails-2.3: DNE
devel_ruby-rails-2.3: DNE

Patches_ruby-actionpack-2.3:
upstream_ruby-actionpack-2.3: ignored (reached end-of-life)
hardy_ruby-actionpack-2.3: DNE
lucid_ruby-actionpack-2.3: DNE
oneiric_ruby-actionpack-2.3: ignored (reached end-of-life)
precise_ruby-actionpack-2.3: ignored (reached end-of-life)
precise/esm_ruby-actionpack-2.3: DNE (precise was needs-triage)
quantal_ruby-actionpack-2.3: ignored (reached end-of-life)
raring_ruby-actionpack-2.3: ignored (reached end-of-life)
saucy_ruby-actionpack-2.3: ignored (reached end-of-life)
trusty_ruby-actionpack-2.3: DNE
trusty/esm_ruby-actionpack-2.3: DNE
utopic_ruby-actionpack-2.3: DNE
vivid_ruby-actionpack-2.3: DNE
vivid/stable-phone-overlay_ruby-actionpack-2.3: DNE
vivid/ubuntu-core_ruby-actionpack-2.3: DNE
wily_ruby-actionpack-2.3: DNE
xenial_ruby-actionpack-2.3: DNE
yakkety_ruby-actionpack-2.3: DNE
zesty_ruby-actionpack-2.3: DNE
artful_ruby-actionpack-2.3: DNE
bionic_ruby-actionpack-2.3: DNE
cosmic_ruby-actionpack-2.3: DNE
devel_ruby-actionpack-2.3: DNE

Patches_ruby-activesupport-2.3:
upstream_ruby-activesupport-2.3: ignored (reached end-of-life)
hardy_ruby-activesupport-2.3: DNE
lucid_ruby-activesupport-2.3: DNE
oneiric_ruby-activesupport-2.3: ignored (reached end-of-life)
precise_ruby-activesupport-2.3: ignored (reached end-of-life)
precise/esm_ruby-activesupport-2.3: DNE (precise was needs-triage)
quantal_ruby-activesupport-2.3: ignored (reached end-of-life)
raring_ruby-activesupport-2.3: ignored (reached end-of-life)
saucy_ruby-activesupport-2.3: ignored (reached end-of-life)
trusty_ruby-activesupport-2.3: DNE
trusty/esm_ruby-activesupport-2.3: DNE
utopic_ruby-activesupport-2.3: DNE
vivid_ruby-activesupport-2.3: DNE
vivid/stable-phone-overlay_ruby-activesupport-2.3: DNE
vivid/ubuntu-core_ruby-activesupport-2.3: DNE
wily_ruby-activesupport-2.3: DNE
xenial_ruby-activesupport-2.3: DNE
yakkety_ruby-activesupport-2.3: DNE
zesty_ruby-activesupport-2.3: DNE
artful_ruby-activesupport-2.3: DNE
bionic_ruby-activesupport-2.3: DNE
cosmic_ruby-activesupport-2.3: DNE
devel_ruby-activesupport-2.3: DNE

Patches_ruby-activerecord-2.3:
upstream_ruby-activerecord-2.3: ignored (reached end-of-life)
hardy_ruby-activerecord-2.3: DNE
lucid_ruby-activerecord-2.3: DNE
oneiric_ruby-activerecord-2.3: ignored (reached end-of-life)
precise_ruby-activerecord-2.3: ignored (reached end-of-life)
precise/esm_ruby-activerecord-2.3: DNE (precise was needs-triage)
quantal_ruby-activerecord-2.3: ignored (reached end-of-life)
raring_ruby-activerecord-2.3: ignored (reached end-of-life)
saucy_ruby-activerecord-2.3: ignored (reached end-of-life)
trusty_ruby-activerecord-2.3: DNE
trusty/esm_ruby-activerecord-2.3: DNE
utopic_ruby-activerecord-2.3: DNE
vivid_ruby-activerecord-2.3: DNE
vivid/stable-phone-overlay_ruby-activerecord-2.3: DNE
vivid/ubuntu-core_ruby-activerecord-2.3: DNE
wily_ruby-activerecord-2.3: DNE
xenial_ruby-activerecord-2.3: DNE
yakkety_ruby-activerecord-2.3: DNE
zesty_ruby-activerecord-2.3: DNE
artful_ruby-activerecord-2.3: DNE
bionic_ruby-activerecord-2.3: DNE
cosmic_ruby-activerecord-2.3: DNE
devel_ruby-activerecord-2.3: DNE

Patches_ruby-rails-3.2:
upstream_ruby-rails-3.2: needs-triage
hardy_ruby-rails-3.2: DNE
lucid_ruby-rails-3.2: DNE
oneiric_ruby-rails-3.2: DNE
precise_ruby-rails-3.2: DNE
precise/esm_ruby-rails-3.2: DNE
quantal_ruby-rails-3.2: ignored (reached end-of-life)
raring_ruby-rails-3.2: ignored (reached end-of-life)
saucy_ruby-rails-3.2: ignored (reached end-of-life)
trusty_ruby-rails-3.2: not-affected
trusty/esm_ruby-rails-3.2: DNE (trusty was not-affected)
utopic_ruby-rails-3.2: DNE
vivid_ruby-rails-3.2: DNE
vivid/stable-phone-overlay_ruby-rails-3.2: DNE
vivid/ubuntu-core_ruby-rails-3.2: DNE
wily_ruby-rails-3.2: DNE
xenial_ruby-rails-3.2: DNE
yakkety_ruby-rails-3.2: DNE
zesty_ruby-rails-3.2: DNE
artful_ruby-rails-3.2: DNE
bionic_ruby-rails-3.2: DNE
cosmic_ruby-rails-3.2: DNE
devel_ruby-rails-3.2: DNE

Patches_ruby-actionpack-3.2:
upstream_ruby-actionpack-3.2: needs-triage
hardy_ruby-actionpack-3.2: DNE
lucid_ruby-actionpack-3.2: DNE
oneiric_ruby-actionpack-3.2: DNE
precise_ruby-actionpack-3.2: DNE
precise/esm_ruby-actionpack-3.2: DNE
quantal_ruby-actionpack-3.2: ignored (reached end-of-life)
raring_ruby-actionpack-3.2: ignored (reached end-of-life)
saucy_ruby-actionpack-3.2: ignored (reached end-of-life)
trusty_ruby-actionpack-3.2: not-affected
trusty/esm_ruby-actionpack-3.2: DNE (trusty was not-affected)
utopic_ruby-actionpack-3.2: DNE
vivid_ruby-actionpack-3.2: DNE
vivid/stable-phone-overlay_ruby-actionpack-3.2: DNE
vivid/ubuntu-core_ruby-actionpack-3.2: DNE
wily_ruby-actionpack-3.2: DNE
xenial_ruby-actionpack-3.2: DNE
yakkety_ruby-actionpack-3.2: DNE
zesty_ruby-actionpack-3.2: DNE
artful_ruby-actionpack-3.2: DNE
bionic_ruby-actionpack-3.2: DNE
cosmic_ruby-actionpack-3.2: DNE
devel_ruby-actionpack-3.2: DNE

Patches_ruby-activesupport-3.2:
upstream_ruby-activesupport-3.2: needs-triage
hardy_ruby-activesupport-3.2: DNE
lucid_ruby-activesupport-3.2: DNE
oneiric_ruby-activesupport-3.2: DNE
precise_ruby-activesupport-3.2: DNE
precise/esm_ruby-activesupport-3.2: DNE
quantal_ruby-activesupport-3.2: ignored (reached end-of-life)
raring_ruby-activesupport-3.2: ignored (reached end-of-life)
saucy_ruby-activesupport-3.2: ignored (reached end-of-life)
trusty_ruby-activesupport-3.2: released (3.2.6-5)
trusty/esm_ruby-activesupport-3.2: DNE (trusty was released [3.2.6-5])
utopic_ruby-activesupport-3.2: DNE
vivid_ruby-activesupport-3.2: DNE
vivid/stable-phone-overlay_ruby-activesupport-3.2: DNE
vivid/ubuntu-core_ruby-activesupport-3.2: DNE
wily_ruby-activesupport-3.2: DNE
xenial_ruby-activesupport-3.2: DNE
yakkety_ruby-activesupport-3.2: DNE
zesty_ruby-activesupport-3.2: DNE
artful_ruby-activesupport-3.2: DNE
bionic_ruby-activesupport-3.2: DNE
cosmic_ruby-activesupport-3.2: DNE
devel_ruby-activesupport-3.2: DNE

Patches_ruby-activerecord-3.2:
upstream_ruby-activerecord-3.2: needs-triage
hardy_ruby-activerecord-3.2: DNE
lucid_ruby-activerecord-3.2: DNE
oneiric_ruby-activerecord-3.2: DNE
precise_ruby-activerecord-3.2: DNE
precise/esm_ruby-activerecord-3.2: DNE
quantal_ruby-activerecord-3.2: ignored (reached end-of-life)
raring_ruby-activerecord-3.2: ignored (reached end-of-life)
saucy_ruby-activerecord-3.2: ignored (reached end-of-life)
trusty_ruby-activerecord-3.2: not-affected
trusty/esm_ruby-activerecord-3.2: DNE (trusty was not-affected)
utopic_ruby-activerecord-3.2: DNE
vivid_ruby-activerecord-3.2: DNE
vivid/stable-phone-overlay_ruby-activerecord-3.2: DNE
vivid/ubuntu-core_ruby-activerecord-3.2: DNE
wily_ruby-activerecord-3.2: DNE
xenial_ruby-activerecord-3.2: DNE
yakkety_ruby-activerecord-3.2: DNE
zesty_ruby-activerecord-3.2: DNE
artful_ruby-activerecord-3.2: DNE
bionic_ruby-activerecord-3.2: DNE
cosmic_ruby-activerecord-3.2: DNE
devel_ruby-activerecord-3.2: DNE