Candidate: CVE-2013-4389 PublicDate: 2013-10-17 00:55:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4389 https://groups.google.com/forum/message/raw?msg=ruby-security-ann/yvlR1Vx44c8/elKJkpO2KVgJ Description: Multiple format string vulnerabilities in log_subscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message. Ubuntu-Description: Notes: mdeslaur> in Oneiric+, rails package is just for transition seth-arnold> Only 3.x.x is affected; earlier and 4.0.x are safe seth-arnold> The patch standardizes some log handling across multiple packages, but the security fix looks restricted to just one line in action mailer: info("\nSent mail to #{recipients} ... the other packages can be left alone. Bugs: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726576 Priority: medium Discovered-by: Aaron Neyer Assigned-to: CVSS: Patches_rails: upstream_rails: released (3.2.15, 4.0.0) lucid_rails: not-affected precise_rails: not-affected (contains no code) quantal_rails: not-affected (contains no code) raring_rails: not-affected (contains no code) saucy_rails: not-affected (contains no code) trusty_rails: not-affected (contains no code) trusty/esm_rails: DNE (trusty was not-affected [contains no code]) devel_rails: not-affected (contains no code) Patches_ruby-rails-2.3: upstream_ruby-rails-2.3: ignored (reached end-of-life) lucid_ruby-rails-2.3: DNE precise_ruby-rails-2.3: not-affected quantal_ruby-rails-2.3: not-affected raring_ruby-rails-2.3: not-affected saucy_ruby-rails-2.3: not-affected trusty_ruby-rails-2.3: DNE trusty/esm_ruby-rails-2.3: DNE devel_ruby-rails-2.3: DNE Patches_ruby-actionpack-2.3: upstream_ruby-actionpack-2.3: ignored (reached end-of-life) lucid_ruby-actionpack-2.3: DNE precise_ruby-actionpack-2.3: not-affected quantal_ruby-actionpack-2.3: not-affected raring_ruby-actionpack-2.3: not-affected saucy_ruby-actionpack-2.3: not-affected trusty_ruby-actionpack-2.3: DNE trusty/esm_ruby-actionpack-2.3: DNE devel_ruby-actionpack-2.3: DNE Patches_ruby-activesupport-2.3: upstream_ruby-activesupport-2.3: ignored (reached end-of-life) lucid_ruby-activesupport-2.3: DNE precise_ruby-activesupport-2.3: not-affected quantal_ruby-activesupport-2.3: not-affected raring_ruby-activesupport-2.3: not-affected saucy_ruby-activesupport-2.3: not-affected trusty_ruby-activesupport-2.3: DNE trusty/esm_ruby-activesupport-2.3: DNE devel_ruby-activesupport-2.3: DNE Patches_ruby-activerecord-2.3: upstream_ruby-activerecord-2.3: ignored (reached end-of-life) lucid_ruby-activerecord-2.3: DNE precise_ruby-activerecord-2.3: not-affected quantal_ruby-activerecord-2.3: not-affected raring_ruby-activerecord-2.3: not-affected saucy_ruby-activerecord-2.3: not-affected trusty_ruby-activerecord-2.3: DNE trusty/esm_ruby-activerecord-2.3: DNE devel_ruby-activerecord-2.3: DNE Patches_ruby-rails-3.2: upstream_ruby-rails-3.2: not-affected lucid_ruby-rails-3.2: DNE precise_ruby-rails-3.2: DNE quantal_ruby-rails-3.2: not-affected raring_ruby-rails-3.2: not-affected saucy_ruby-rails-3.2: not-affected trusty_ruby-rails-3.2: not-affected trusty/esm_ruby-rails-3.2: DNE (trusty was not-affected) devel_ruby-rails-3.2: DNE Patches_ruby-actionpack-3.2: upstream_ruby-actionpack-3.2: not-affected lucid_ruby-actionpack-3.2: DNE precise_ruby-actionpack-3.2: DNE quantal_ruby-actionpack-3.2: not-affected raring_ruby-actionpack-3.2: not-affected saucy_ruby-actionpack-3.2: not-affected trusty_ruby-actionpack-3.2: not-affected trusty/esm_ruby-actionpack-3.2: DNE (trusty was not-affected) devel_ruby-actionpack-3.2: DNE Patches_ruby-activesupport-3.2: upstream_ruby-activesupport-3.2: not-affected lucid_ruby-activesupport-3.2: DNE precise_ruby-activesupport-3.2: DNE quantal_ruby-activesupport-3.2: not-affected raring_ruby-activesupport-3.2: not-affected saucy_ruby-activesupport-3.2: not-affected trusty_ruby-activesupport-3.2: not-affected trusty/esm_ruby-activesupport-3.2: DNE (trusty was not-affected) devel_ruby-activesupport-3.2: DNE Patches_ruby-activerecord-3.2: upstream_ruby-activerecord-3.2: not-affected lucid_ruby-activerecord-3.2: DNE precise_ruby-activerecord-3.2: DNE quantal_ruby-activerecord-3.2: not-affected raring_ruby-activerecord-3.2: not-affected saucy_ruby-activerecord-3.2: not-affected trusty_ruby-activerecord-3.2: not-affected trusty/esm_ruby-activerecord-3.2: DNE (trusty was not-affected) devel_ruby-activerecord-3.2: DNE Patches_ruby-actionmailer-2.3: upstream_ruby-actionmailer-2.3: not-affected lucid_ruby-actionmailer-2.3: DNE precise_ruby-actionmailer-2.3: not-affected quantal_ruby-actionmailer-2.3: not-affected raring_ruby-actionmailer-2.3: not-affected saucy_ruby-actionmailer-2.3: not-affected trusty_ruby-actionmailer-2.3: DNE trusty/esm_ruby-actionmailer-2.3: DNE devel_ruby-actionmailer-2.3: DNE Patches_rails-4.0: upstream_rails-4.0: not-affected lucid_rails-4.0: DNE precise_rails-4.0: DNE quantal_rails-4.0: DNE raring_rails-4.0: DNE saucy_rails-4.0: DNE trusty_rails-4.0: not-affected trusty/esm_rails-4.0: DNE (trusty was not-affected) devel_rails-4.0: not-affected Patches_ruby-actionmailer-3.2: upstream: https://groups.google.com/forum/message/raw?msg=ruby-security-ann/yvlR1Vx44c8/elKJkpO2KVgJ upstream_ruby-actionmailer-3.2: released (3.2.15) lucid_ruby-actionmailer-3.2: DNE precise_ruby-actionmailer-3.2: DNE quantal_ruby-actionmailer-3.2: ignored (reached end-of-life) raring_ruby-actionmailer-3.2: ignored (reached end-of-life) saucy_ruby-actionmailer-3.2: ignored (reached end-of-life) trusty_ruby-actionmailer-3.2: not-affected (3.2.16-1) trusty/esm_ruby-actionmailer-3.2: DNE (trusty was not-affected [3.2.16-1]) devel_ruby-actionmailer-3.2: DNE