FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  336101
Date:      2013-12-10
Time:      19:45:12Z
Committer: sunpoet

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
ca5d3272-59e3-11e2-853b-00262d5ed8ee	rubygem-rails -- multiple vulnerabilities Ruby on Rails team reports: Two high-risk vulnerabilities have been discovered: (CVE-2013-0155) There is a vulnerability when Active Record is used in conjunction with JSON parameter parsing. Due to the way Active Record interprets parameters in combination with the way that JSON parameters are parsed, it is possible for an attacker to issue unexpected database queries with "IS NULL" or empty "WHERE" clauses. This issue does not let an attacker insert arbitrary values into an SQL query, however they can cause the query to check for NULL or eliminate a WHERE clause when most users would not expect it. (CVE-2013-0156) There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. The parameter parsing code of Ruby on Rails allows applications to automatically cast values from strings to certain data types. Unfortunately the type casting code supported certain conversions which were not suitable for performing on user-provided data including creating Symbols and parsing YAML. These unsuitable conversions can be used by an attacker to compromise a Rails application. Discovery 2013-01-08 Entry 2013-01-08 rubygem-rails lt 3.2.11 rubygem-actionpack lt 3.2.11 rubygem-activerecord lt 3.2.11 rubygem-activesupport lt 3.2.11 CVE-2013-0155 CVE-2013-0156 http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/ https://groups.google.com/forum/?fromgroups#!topic/rubyonrails-security/t1WFuuQyavI https://groups.google.com/forum/?fromgroups#!topic/rubyonrails-security/61bkgvnSGTQ
31db9a18-e289-11e1-a57d-080027a27dbf	rubygem-rails -- multiple vulnerabilities Rails core team reports: This version contains three important security fixes, please upgrade immediately. One of security fixes impacts all users and is related to HTML escaping code. The other two fixes impacts people using select_tag's prompt option and strip_tags helper from ActionPack. CVE-2012-3463 Potential XSS Vulnerability in select_tag prompt. CVE-2012-3464 Potential XSS Vulnerability in the HTML escaping code. CVE-2012-3465 XSS Vulnerability in strip_tags. Discovery 2012-08-08 Entry 2012-08-10 rubygem-rails lt 3.2.8 rubygem-actionpack lt 3.2.8 rubygem-activesupport lt 3.2.8 CVE-2012-3463 CVE-2012-3464 CVE-2012-3465 https://groups.google.com/d/msg/rubyonrails-security/fV3QUToSMSw/eHBSFOUYHpYJ https://groups.google.com/d/msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J https://groups.google.com/d/msg/rubyonrails-security/FgVEtBajcTY/tYLS1JJTu38J http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/

VuXML ID

Description

ca5d3272-59e3-11e2-853b-00262d5ed8ee

rubygem-rails -- multiple vulnerabilities

Ruby on Rails team reports:

Two high-risk vulnerabilities have been discovered:

(CVE-2013-0155) There is a vulnerability when Active Record is used in conjunction with JSON parameter parsing.

Due to the way Active Record interprets parameters in combination with the way that JSON parameters are parsed, it is possible for an attacker to issue unexpected database queries with "IS NULL" or empty "WHERE" clauses. This issue does not let an attacker insert arbitrary values into an SQL query, however they can cause the query to check for NULL or eliminate a WHERE clause when most users would not expect it.

(CVE-2013-0156) There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application.

The parameter parsing code of Ruby on Rails allows applications to automatically cast values from strings to certain data types. Unfortunately the type casting code supported certain conversions which were not suitable for performing on user-provided data including creating Symbols and parsing YAML. These unsuitable conversions can be used by an attacker to compromise a Rails application.

Discovery 2013-01-08
Entry 2013-01-08
rubygem-rails

lt 3.2.11

rubygem-actionpack

lt 3.2.11

rubygem-activerecord

lt 3.2.11

rubygem-activesupport

lt 3.2.11

CVE-2013-0155
CVE-2013-0156
http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/
https://groups.google.com/forum/?fromgroups#!topic/rubyonrails-security/t1WFuuQyavI
https://groups.google.com/forum/?fromgroups#!topic/rubyonrails-security/61bkgvnSGTQ

31db9a18-e289-11e1-a57d-080027a27dbf

rubygem-rails -- multiple vulnerabilities

Rails core team reports:

This version contains three important security fixes, please upgrade immediately.

One of security fixes impacts all users and is related to HTML escaping code. The other two fixes impacts people using select_tag's prompt option and strip_tags helper from ActionPack.

CVE-2012-3463 Potential XSS Vulnerability in select_tag prompt.

CVE-2012-3464 Potential XSS Vulnerability in the HTML escaping code.

CVE-2012-3465 XSS Vulnerability in strip_tags.

Discovery 2012-08-08
Entry 2012-08-10
rubygem-rails

lt 3.2.8

rubygem-actionpack

lt 3.2.8

rubygem-activesupport

lt 3.2.8

CVE-2012-3463
CVE-2012-3464
CVE-2012-3465
https://groups.google.com/d/msg/rubyonrails-security/fV3QUToSMSw/eHBSFOUYHpYJ
https://groups.google.com/d/msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J
https://groups.google.com/d/msg/rubyonrails-security/FgVEtBajcTY/tYLS1JJTu38J
http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/