Jump to content
Compatible Support Forums
Sign in to follow this  
news

[RHSA-2013:0699-01] Moderate: ruby193-rubygem-activerecord security update

Recommended Posts

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Moderate: ruby193-rubygem-activerecord security update

Advisory ID: RHSA-2013:0699-01

Product: Red Hat OpenShift Enterprise

Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0699.html

Issue date: 2013-04-02

CVE Names: CVE-2013-1854

=====================================================================

 

1. Summary:

 

Updated ruby193-rubygem-activerecord packages that fix one security issue

are now available for Red Hat OpenShift Enterprise 1.1.3.

 

The Red Hat Security Response Team has rated this update as having moderate

security impact. A Common Vulnerability Scoring System (CVSS) base score,

which gives a detailed severity rating, is available from the CVE link in

the References section.

 

2. Relevant releases/architectures:

 

Red Hat OpenShift Enterprise Infrastructure - noarch

Red Hat OpenShift Enterprise Node - noarch

 

3. Description:

 

Ruby on Rails is a model–view–controller (MVC) framework for web

application development. Active Record implements object-relational mapping

for accessing database entries using objects.

 

A flaw was found in the way hashes were handled in certain queries. A

remote attacker could use this flaw to perform a denial of service

(resource consumption) attack by sending specially-crafted queries that

would result in the creation of Ruby symbols, which were never garbage

collected. (CVE-2013-1854)

 

Red Hat would like to thank Ruby on Rails upstream for reporting this

issue. Upstream acknowledges Ben Murphy as the original reporter.

 

Users of Red Hat OpenShift Enterprise 1.1.3 are advised to upgrade to these

updated packages, which correct this issue.

 

4. Solution:

 

Before applying this update, make sure all previously-released errata

relevant to your system have been applied.

 

This update is available via the Red Hat Network. Details on how to

use the Red Hat Network to apply this update are available at

https://access.redhat.com/knowledge/articles/11258

 

5. Bugs fixed (http://bugzilla.redhat.com/):

 

921329 - CVE-2013-1854 rubygem-activerecord: attribute_dos Symbol DoS vulnerability

 

6. Package List:

 

Red Hat OpenShift Enterprise Infrastructure:

 

Source:

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOSE/SRPMS/ruby193-rubygem-activerecord-3.2.8-6.el6.src.rpm

 

noarch:

ruby193-rubygem-activerecord-3.2.8-6.el6.noarch.rpm

ruby193-rubygem-activerecord-doc-3.2.8-6.el6.noarch.rpm

 

Red Hat OpenShift Enterprise Node:

 

Source:

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOSE/SRPMS/ruby193-rubygem-activerecord-3.2.8-6.el6.src.rpm

 

noarch:

ruby193-rubygem-activerecord-3.2.8-6.el6.noarch.rpm

ruby193-rubygem-activerecord-doc-3.2.8-6.el6.noarch.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/#package

 

7. References:

 

https://www.redhat.com/security/data/cve/CVE-2013-1854.html

https://access.redhat.com/security/updates/classification/#moderate

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2013 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.4 (GNU/Linux)

 

iD8DBQFRWzvgXlSAg2UNWIIRAiwEAJ9Mb0asrJXhRkAqFWxCYjOgkgGaMACfcY2q

kI8o9Q2DEaoiE7+8Pz3uKoY=

=IGh4

-----END PGP SIGNATURE-----

 

 

--

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×