Candidate: CVE-2015-7577
PublicDate: 2016-02-16 02:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7577
Description:
 activerecord/lib/active_record/nested_attributes.rb in Active Record in
 Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before
 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not
 properly implement a certain destroy option, which allows remote attackers
 to bypass intended change restrictions by leveraging use of the nested
 attributes feature.
Ubuntu-Description:
Notes:
 seth-arnold> In Oneiric-Saucy, rails package is just for transition;
 seth-arnold> The rails package contains actual code from vivid onward
Bugs:
Priority: medium
Discovered-by: Justin Coyne
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N [5.3 MEDIUM]

Patches_rails:
upstream_rails: released (5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1)
precise_rails: not-affected (contains no code)
precise/esm_rails: DNE (precise was not-affected [contains no code])
trusty_rails: not-affected (contains no code)
trusty/esm_rails: DNE (trusty was not-affected [contains no code])
vivid_rails: released (2:4.1.8-1+deb8u1build0.15.04.1)
vivid/ubuntu-core_rails: DNE
vivid/stable-phone-overlay_rails: DNE
wily_rails: ignored (reached end-of-life)
xenial_rails: not-affected (2:4.2.6-1)
yakkety_rails: ignored (reached end-of-life)
zesty_rails: ignored (reached end-of-life)
artful_rails: ignored (reached end-of-life)
bionic_rails: not-affected (2:4.2.6-1)
cosmic_rails: not-affected (2:4.2.6-1)
disco_rails: not-affected (2:4.2.6-1)
devel_rails: not-affected (2:4.2.6-1)

Patches_ruby-rails-2.3:
upstream_ruby-rails-2.3: ignored (reached end-of-life)
precise_ruby-rails-2.3: not-affected
precise/esm_ruby-rails-2.3: DNE (precise was not-affected)
trusty_ruby-rails-2.3: DNE
trusty/esm_ruby-rails-2.3: DNE
vivid_ruby-rails-2.3: DNE
vivid/ubuntu-core_ruby-rails-2.3: DNE
vivid/stable-phone-overlay_ruby-rails-2.3: DNE
wily_ruby-rails-2.3: DNE
xenial_ruby-rails-2.3: DNE
yakkety_ruby-rails-2.3: DNE
zesty_ruby-rails-2.3: DNE
artful_ruby-rails-2.3: DNE
bionic_ruby-rails-2.3: DNE
cosmic_ruby-rails-2.3: DNE
disco_ruby-rails-2.3: DNE
devel_ruby-rails-2.3: DNE

Patches_ruby-actionpack-2.3:
upstream_ruby-actionpack-2.3: ignored (reached end-of-life)
precise_ruby-actionpack-2.3: not-affected
precise/esm_ruby-actionpack-2.3: DNE (precise was not-affected)
trusty_ruby-actionpack-2.3: DNE
trusty/esm_ruby-actionpack-2.3: DNE
vivid_ruby-actionpack-2.3: DNE
vivid/ubuntu-core_ruby-actionpack-2.3: DNE
vivid/stable-phone-overlay_ruby-actionpack-2.3: DNE
wily_ruby-actionpack-2.3: DNE
xenial_ruby-actionpack-2.3: DNE
yakkety_ruby-actionpack-2.3: DNE
zesty_ruby-actionpack-2.3: DNE
artful_ruby-actionpack-2.3: DNE
bionic_ruby-actionpack-2.3: DNE
cosmic_ruby-actionpack-2.3: DNE
disco_ruby-actionpack-2.3: DNE
devel_ruby-actionpack-2.3: DNE

Patches_ruby-activesupport-2.3:
upstream_ruby-activesupport-2.3: ignored (reached end-of-life)
precise_ruby-activesupport-2.3: not-affected
precise/esm_ruby-activesupport-2.3: DNE (precise was not-affected)
trusty_ruby-activesupport-2.3: DNE
trusty/esm_ruby-activesupport-2.3: DNE
vivid_ruby-activesupport-2.3: DNE
vivid/ubuntu-core_ruby-activesupport-2.3: DNE
vivid/stable-phone-overlay_ruby-activesupport-2.3: DNE
wily_ruby-activesupport-2.3: DNE
xenial_ruby-activesupport-2.3: DNE
yakkety_ruby-activesupport-2.3: DNE
zesty_ruby-activesupport-2.3: DNE
artful_ruby-activesupport-2.3: DNE
bionic_ruby-activesupport-2.3: DNE
cosmic_ruby-activesupport-2.3: DNE
disco_ruby-activesupport-2.3: DNE
devel_ruby-activesupport-2.3: DNE

Patches_ruby-activerecord-2.3:
upstream_ruby-activerecord-2.3: ignored (reached end-of-life)
precise_ruby-activerecord-2.3: not-affected
precise/esm_ruby-activerecord-2.3: DNE (precise was not-affected)
trusty_ruby-activerecord-2.3: DNE
trusty/esm_ruby-activerecord-2.3: DNE
vivid_ruby-activerecord-2.3: DNE
vivid/ubuntu-core_ruby-activerecord-2.3: DNE
vivid/stable-phone-overlay_ruby-activerecord-2.3: DNE
wily_ruby-activerecord-2.3: DNE
xenial_ruby-activerecord-2.3: DNE
yakkety_ruby-activerecord-2.3: DNE
zesty_ruby-activerecord-2.3: DNE
artful_ruby-activerecord-2.3: DNE
bionic_ruby-activerecord-2.3: DNE
cosmic_ruby-activerecord-2.3: DNE
disco_ruby-activerecord-2.3: DNE
devel_ruby-activerecord-2.3: DNE

Patches_ruby-rails-3.2:
upstream_ruby-rails-3.2: needed
precise_ruby-rails-3.2: DNE
precise/esm_ruby-rails-3.2: DNE
trusty_ruby-rails-3.2: ignored (reached end-of-life)
trusty/esm_ruby-rails-3.2: DNE (trusty was needed)
vivid_ruby-rails-3.2: DNE
vivid/ubuntu-core_ruby-rails-3.2: DNE
vivid/stable-phone-overlay_ruby-rails-3.2: DNE
wily_ruby-rails-3.2: DNE
xenial_ruby-rails-3.2: DNE
yakkety_ruby-rails-3.2: DNE
zesty_ruby-rails-3.2: DNE
artful_ruby-rails-3.2: DNE
bionic_ruby-rails-3.2: DNE
cosmic_ruby-rails-3.2: DNE
disco_ruby-rails-3.2: DNE
devel_ruby-rails-3.2: DNE

Patches_ruby-actionpack-3.2:
upstream_ruby-actionpack-3.2: not-affected
precise_ruby-actionpack-3.2: DNE
precise/esm_ruby-actionpack-3.2: DNE
trusty_ruby-actionpack-3.2: not-affected
trusty/esm_ruby-actionpack-3.2: DNE (trusty was not-affected)
vivid_ruby-actionpack-3.2: DNE
vivid/ubuntu-core_ruby-actionpack-3.2: DNE
vivid/stable-phone-overlay_ruby-actionpack-3.2: DNE
wily_ruby-actionpack-3.2: DNE
xenial_ruby-actionpack-3.2: DNE
yakkety_ruby-actionpack-3.2: DNE
zesty_ruby-actionpack-3.2: DNE
artful_ruby-actionpack-3.2: DNE
bionic_ruby-actionpack-3.2: DNE
cosmic_ruby-actionpack-3.2: DNE
disco_ruby-actionpack-3.2: DNE
devel_ruby-actionpack-3.2: DNE

Patches_ruby-activesupport-3.2:
upstream_ruby-activesupport-3.2: not-affected
precise_ruby-activesupport-3.2: DNE
precise/esm_ruby-activesupport-3.2: DNE
trusty_ruby-activesupport-3.2: not-affected
trusty/esm_ruby-activesupport-3.2: DNE (trusty was not-affected)
vivid_ruby-activesupport-3.2: DNE
vivid/ubuntu-core_ruby-activesupport-3.2: DNE
vivid/stable-phone-overlay_ruby-activesupport-3.2: DNE
wily_ruby-activesupport-3.2: DNE
xenial_ruby-activesupport-3.2: DNE
yakkety_ruby-activesupport-3.2: DNE
zesty_ruby-activesupport-3.2: DNE
artful_ruby-activesupport-3.2: DNE
bionic_ruby-activesupport-3.2: DNE
cosmic_ruby-activesupport-3.2: DNE
disco_ruby-activesupport-3.2: DNE
devel_ruby-activesupport-3.2: DNE

Patches_ruby-activerecord-3.2:
upstream_ruby-activerecord-3.2: needed
precise_ruby-activerecord-3.2: DNE
precise/esm_ruby-activerecord-3.2: DNE
trusty_ruby-activerecord-3.2: ignored (reached end-of-life)
trusty/esm_ruby-activerecord-3.2: DNE (trusty was needed)
vivid_ruby-activerecord-3.2: DNE
vivid/ubuntu-core_ruby-activerecord-3.2: DNE
vivid/stable-phone-overlay_ruby-activerecord-3.2: DNE
wily_ruby-activerecord-3.2: DNE
xenial_ruby-activerecord-3.2: DNE
yakkety_ruby-activerecord-3.2: DNE
zesty_ruby-activerecord-3.2: DNE
artful_ruby-activerecord-3.2: DNE
bionic_ruby-activerecord-3.2: DNE
cosmic_ruby-activerecord-3.2: DNE
disco_ruby-activerecord-3.2: DNE
devel_ruby-activerecord-3.2: DNE

Patches_rails-4.0:
upstream_rails-4.0: released (5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1)
precise_rails-4.0: DNE
precise/esm_rails-4.0: DNE
trusty_rails-4.0: ignored (reached end-of-life)
trusty/esm_rails-4.0: DNE (trusty was needed)
vivid_rails-4.0: DNE
vivid/ubuntu-core_rails-4.0: DNE
vivid/stable-phone-overlay_rails-4.0: DNE
wily_rails-4.0: DNE
xenial_rails-4.0: DNE
yakkety_rails-4.0: DNE
zesty_rails-4.0: DNE
artful_rails-4.0: DNE
bionic_rails-4.0: DNE
cosmic_rails-4.0: DNE
disco_rails-4.0: DNE
devel_rails-4.0: DNE