Gentoo Local Security Checks : Gentoo Security Advisory GLSA 200912-02 (rails)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.66602

Categoría: Gentoo Local Security Checks

Título: Gentoo Security Advisory GLSA 200912-02 (rails)

Resumen: The remote host is missing updates announced in;advisory GLSA 200912-02.

Descripción: Summary:
The remote host is missing updates announced in
advisory GLSA 200912-02.

Vulnerability Insight:
Multiple vulnerabilities have been discovered in Rails, the worst of which
leading to the execution of arbitrary SQL statements.

Solution:
All Ruby on Rails 2.3.x users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose '>=dev-ruby/rails-2.3.5'

All Ruby on Rails 2.2.x users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose '=dev-ruby/rails-2.2.3-r1'

NOTE: All applications using Ruby on Rails should also be configured to
use the latest version available by running 'rake rails:update' inside
the application directory.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2007-5380
http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html
BugTraq ID: 26096
http://www.securityfocus.com/bid/26096
Cert/CC Advisory: TA07-352A
http://www.us-cert.gov/cas/techalerts/TA07-352A.html
http://security.gentoo.org/glsa/glsa-200711-17.xml
http://secunia.com/advisories/27657
http://secunia.com/advisories/27965
http://secunia.com/advisories/28136
SuSE Security Announcement: SUSE-SR:2007:025 (Google Search)
http://www.novell.com/linux/security/advisories/2007_25_sr.html
http://www.vupen.com/english/advisories/2007/3508
http://www.vupen.com/english/advisories/2007/4238
Common Vulnerability Exposure (CVE) ID: CVE-2007-6077
BugTraq ID: 26598
http://www.securityfocus.com/bid/26598
http://secunia.com/advisories/27781
http://www.vupen.com/english/advisories/2007/4009
Common Vulnerability Exposure (CVE) ID: CVE-2008-4094
BugTraq ID: 31176
http://www.securityfocus.com/bid/31176
http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1
http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/
http://www.openwall.com/lists/oss-security/2008/09/13/2
http://www.openwall.com/lists/oss-security/2008/09/16/1
http://www.securitytracker.com/id?1020871
http://secunia.com/advisories/31875
http://secunia.com/advisories/31909
http://secunia.com/advisories/31910
SuSE Security Announcement: SUSE-SR:2008:027 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html
http://www.vupen.com/english/advisories/2008/2562
XForce ISS Database: rubyonrails-activerecord-sql-injection(45109)
https://exchange.xforce.ibmcloud.com/vulnerabilities/45109
Common Vulnerability Exposure (CVE) ID: CVE-2008-7248
36600
http://secunia.com/advisories/36600
38915
http://secunia.com/advisories/38915
ADV-2009-2544
http://www.vupen.com/english/advisories/2009/2544
SUSE-SR:2010:006
http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
[oss-security] 20091128 CVE request: Ruby on Rails: CSRF circumvention (from 2008)
http://www.openwall.com/lists/oss-security/2009/11/28/1
[oss-security] 20091202 Re: CVE request: Ruby on Rails: CSRF circumvention (from 2008)
http://www.openwall.com/lists/oss-security/2009/12/02/2
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en
http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/
http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1
http://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html
Common Vulnerability Exposure (CVE) ID: CVE-2009-2422
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
BugTraq ID: 35579
http://www.securityfocus.com/bid/35579
http://n8.tumblr.com/post/117477059/security-hole-found-in-rails-2-3s
http://secunia.com/advisories/35702
http://www.vupen.com/english/advisories/2009/1802
XForce ISS Database: rubyonrails-validatedigest-sec-bypass(51528)
https://exchange.xforce.ibmcloud.com/vulnerabilities/51528
Common Vulnerability Exposure (CVE) ID: CVE-2009-3009
BugTraq ID: 36278
http://www.securityfocus.com/bid/36278
Debian Security Information: DSA-1887 (Google Search)
http://www.debian.org/security/2009/dsa-1887
http://groups.google.com/group/rubyonrails-security/msg/7f57cd7794e1d1b4?dmode=source
http://www.osvdb.org/57666
http://securitytracker.com/id?1022824
http://secunia.com/advisories/36717
SuSE Security Announcement: SUSE-SR:2009:017 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
XForce ISS Database: rubyonrails-unicode-xss(53036)
https://exchange.xforce.ibmcloud.com/vulnerabilities/53036
Common Vulnerability Exposure (CVE) ID: CVE-2009-3086
BugTraq ID: 37427
http://www.securityfocus.com/bid/37427
Debian Security Information: DSA-2260 (Google Search)
http://www.debian.org/security/2011/dsa-2260
Common Vulnerability Exposure (CVE) ID: CVE-2009-4214
BugTraq ID: 37142
http://www.securityfocus.com/bid/37142
Debian Security Information: DSA-2301 (Google Search)
http://www.debian.org/security/2011/dsa-2301
http://www.openwall.com/lists/oss-security/2009/11/27/2
http://www.openwall.com/lists/oss-security/2009/12/08/3
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1
http://www.securitytracker.com/id?1023245
http://secunia.com/advisories/37446
SuSE Security Announcement: SUSE-SR:2010:006 (Google Search)
http://www.vupen.com/english/advisories/2009/3352

Copyright Copyright (C) 2009 E-Soft Inc.

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.66602
Categoría:	Gentoo Local Security Checks
Título:	Gentoo Security Advisory GLSA 200912-02 (rails)
Resumen:	The remote host is missing updates announced in;advisory GLSA 200912-02.
Descripción:	Summary: The remote host is missing updates announced in advisory GLSA 200912-02. Vulnerability Insight: Multiple vulnerabilities have been discovered in Rails, the worst of which leading to the execution of arbitrary SQL statements. Solution: All Ruby on Rails 2.3.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=dev-ruby/rails-2.3.5' All Ruby on Rails 2.2.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '=dev-ruby/rails-2.2.3-r1' NOTE: All applications using Ruby on Rails should also be configured to use the latest version available by running 'rake rails:update' inside the application directory. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2007-5380 http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html BugTraq ID: 26096 http://www.securityfocus.com/bid/26096 Cert/CC Advisory: TA07-352A http://www.us-cert.gov/cas/techalerts/TA07-352A.html http://security.gentoo.org/glsa/glsa-200711-17.xml http://secunia.com/advisories/27657 http://secunia.com/advisories/27965 http://secunia.com/advisories/28136 SuSE Security Announcement: SUSE-SR:2007:025 (Google Search) http://www.novell.com/linux/security/advisories/2007_25_sr.html http://www.vupen.com/english/advisories/2007/3508 http://www.vupen.com/english/advisories/2007/4238 Common Vulnerability Exposure (CVE) ID: CVE-2007-6077 BugTraq ID: 26598 http://www.securityfocus.com/bid/26598 http://secunia.com/advisories/27781 http://www.vupen.com/english/advisories/2007/4009 Common Vulnerability Exposure (CVE) ID: CVE-2008-4094 BugTraq ID: 31176 http://www.securityfocus.com/bid/31176 http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1 http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/ http://www.openwall.com/lists/oss-security/2008/09/13/2 http://www.openwall.com/lists/oss-security/2008/09/16/1 http://www.securitytracker.com/id?1020871 http://secunia.com/advisories/31875 http://secunia.com/advisories/31909 http://secunia.com/advisories/31910 SuSE Security Announcement: SUSE-SR:2008:027 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html http://www.vupen.com/english/advisories/2008/2562 XForce ISS Database: rubyonrails-activerecord-sql-injection(45109) https://exchange.xforce.ibmcloud.com/vulnerabilities/45109 Common Vulnerability Exposure (CVE) ID: CVE-2008-7248 36600 http://secunia.com/advisories/36600 38915 http://secunia.com/advisories/38915 ADV-2009-2544 http://www.vupen.com/english/advisories/2009/2544 SUSE-SR:2010:006 http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html [oss-security] 20091128 CVE request: Ruby on Rails: CSRF circumvention (from 2008) http://www.openwall.com/lists/oss-security/2009/11/28/1 [oss-security] 20091202 Re: CVE request: Ruby on Rails: CSRF circumvention (from 2008) http://www.openwall.com/lists/oss-security/2009/12/02/2 http://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/ http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1 http://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html Common Vulnerability Exposure (CVE) ID: CVE-2009-2422 http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html BugTraq ID: 35579 http://www.securityfocus.com/bid/35579 http://n8.tumblr.com/post/117477059/security-hole-found-in-rails-2-3s http://secunia.com/advisories/35702 http://www.vupen.com/english/advisories/2009/1802 XForce ISS Database: rubyonrails-validatedigest-sec-bypass(51528) https://exchange.xforce.ibmcloud.com/vulnerabilities/51528 Common Vulnerability Exposure (CVE) ID: CVE-2009-3009 BugTraq ID: 36278 http://www.securityfocus.com/bid/36278 Debian Security Information: DSA-1887 (Google Search) http://www.debian.org/security/2009/dsa-1887 http://groups.google.com/group/rubyonrails-security/msg/7f57cd7794e1d1b4?dmode=source http://www.osvdb.org/57666 http://securitytracker.com/id?1022824 http://secunia.com/advisories/36717 SuSE Security Announcement: SUSE-SR:2009:017 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html XForce ISS Database: rubyonrails-unicode-xss(53036) https://exchange.xforce.ibmcloud.com/vulnerabilities/53036 Common Vulnerability Exposure (CVE) ID: CVE-2009-3086 BugTraq ID: 37427 http://www.securityfocus.com/bid/37427 Debian Security Information: DSA-2260 (Google Search) http://www.debian.org/security/2011/dsa-2260 Common Vulnerability Exposure (CVE) ID: CVE-2009-4214 BugTraq ID: 37142 http://www.securityfocus.com/bid/37142 Debian Security Information: DSA-2301 (Google Search) http://www.debian.org/security/2011/dsa-2301 http://www.openwall.com/lists/oss-security/2009/11/27/2 http://www.openwall.com/lists/oss-security/2009/12/08/3 http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1 http://www.securitytracker.com/id?1023245 http://secunia.com/advisories/37446 SuSE Security Announcement: SUSE-SR:2010:006 (Google Search) http://www.vupen.com/english/advisories/2009/3352
Copyright	Copyright (C) 2009 E-Soft Inc.