CVE-2013-0277 (retired)

Priority
Description
ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows
remote attackers to cause a denial of service or execute arbitrary code via
crafted serialized attributes that cause the +serialize+ helper to
deserialize arbitrary YAML.
Notes
 mdeslaur> in Oneiric+, rails package is just for transition
Package
Source: rails (LP Ubuntu Debian)
Upstream:released (2.3.17, 3.1.0)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was not-affected [contains no code])
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (contains no code)
Patches:
Upstream:https://groups.google.com/group/rubyonrails-security/attach/302ec7ce90f13837/2-3-serialize.patch?part=3 (2.3)
Upstream:https://groups.google.com/group/rubyonrails-security/attach/302ec7ce90f13837/3-0-serialize.patch?part=4 (3.0)
Package
Upstream:ignored (reached end-of-life)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needed)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Patches:
Upstream:https://groups.google.com/group/rubyonrails-security/attach/302ec7ce90f13837/2-3-serialize.patch?part=3 (2.3)
Package
Upstream:not-affected
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
More Information

Updated: 2019-09-19 15:43:00 UTC (commit d32ebc32606b9517c6fa7d65a15441e2a57a6de5)