Mageia Linux Local Security Checks : Mageia: Security Advisory (MGASA-2014-0303)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.1.10.2014.0303

Categoría: Mageia Linux Local Security Checks

Título: Mageia: Security Advisory (MGASA-2014-0303)

Resumen: The remote host is missing an update for the 'ruby-actionmailer, ruby-actionpack, ruby-activemodel, ruby-activerecord, ruby-activesupport, ruby-rails, ruby-railties' package(s) announced via the MGASA-2014-0303 advisory.

Descripción: Summary:
The remote host is missing an update for the 'ruby-actionmailer, ruby-actionpack, ruby-activemodel, ruby-activerecord, ruby-activesupport, ruby-rails, ruby-railties' package(s) announced via the MGASA-2014-0303 advisory.

Vulnerability Insight:
Updated ruby-actionpack and ruby-activerecord packages fix security
vulnerabilities:

Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb
in the implicit-render implementation in Ruby on Rails before 4.0.5, when
certain route globbing configurations are enabled, allows remote attackers to
read arbitrary files via a crafted request (CVE-2014-0130).

PostgreSQL supports a number of unique data types which are not present in
other supported databases. A bug in the SQL quoting code in ActiveRecord in
Ruby on Rails before 4.0.7 can allow an attacker to inject arbitrary SQL using
carefully crafted values (CVE-2014-3483).

The associated Ruby on Rails packages have been updated to version 4.0.8, to
address these and other issues.

Affected Software/OS:
'ruby-actionmailer, ruby-actionpack, ruby-activemodel, ruby-activerecord, ruby-activesupport, ruby-rails, ruby-railties' package(s) on Mageia 4.

Solution:
Please install the updated package(s).

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2014-0130
67244
http://www.securityfocus.com/bid/67244
RHSA-2014:1863
http://rhn.redhat.com/errata/RHSA-2014-1863.html
[rubyonrails-security] 20140506 [CVE-2014-0130] Directory Traversal Vulnerability With Certain Route Configurations
https://groups.google.com/forum/message/raw?msg=rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ
http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf
Common Vulnerability Exposure (CVE) ID: CVE-2014-3483
BugTraq ID: 68341
http://www.securityfocus.com/bid/68341
Debian Security Information: DSA-2982 (Google Search)
http://www.debian.org/security/2014/dsa-2982
http://openwall.com/lists/oss-security/2014/07/02/5
https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J
RedHat Security Advisories: RHSA-2014:0877
http://rhn.redhat.com/errata/RHSA-2014-0877.html
http://secunia.com/advisories/59971
http://secunia.com/advisories/60214

Copyright Copyright (C) 2022 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.1.10.2014.0303
Categoría:	Mageia Linux Local Security Checks
Título:	Mageia: Security Advisory (MGASA-2014-0303)
Resumen:	The remote host is missing an update for the 'ruby-actionmailer, ruby-actionpack, ruby-activemodel, ruby-activerecord, ruby-activesupport, ruby-rails, ruby-railties' package(s) announced via the MGASA-2014-0303 advisory.
Descripción:	Summary: The remote host is missing an update for the 'ruby-actionmailer, ruby-actionpack, ruby-activemodel, ruby-activerecord, ruby-activesupport, ruby-rails, ruby-railties' package(s) announced via the MGASA-2014-0303 advisory. Vulnerability Insight: Updated ruby-actionpack and ruby-activerecord packages fix security vulnerabilities: Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails before 4.0.5, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files via a crafted request (CVE-2014-0130). PostgreSQL supports a number of unique data types which are not present in other supported databases. A bug in the SQL quoting code in ActiveRecord in Ruby on Rails before 4.0.7 can allow an attacker to inject arbitrary SQL using carefully crafted values (CVE-2014-3483). The associated Ruby on Rails packages have been updated to version 4.0.8, to address these and other issues. Affected Software/OS: 'ruby-actionmailer, ruby-actionpack, ruby-activemodel, ruby-activerecord, ruby-activesupport, ruby-rails, ruby-railties' package(s) on Mageia 4. Solution: Please install the updated package(s). CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2014-0130 67244 http://www.securityfocus.com/bid/67244 RHSA-2014:1863 http://rhn.redhat.com/errata/RHSA-2014-1863.html [rubyonrails-security] 20140506 [CVE-2014-0130] Directory Traversal Vulnerability With Certain Route Configurations https://groups.google.com/forum/message/raw?msg=rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf Common Vulnerability Exposure (CVE) ID: CVE-2014-3483 BugTraq ID: 68341 http://www.securityfocus.com/bid/68341 Debian Security Information: DSA-2982 (Google Search) http://www.debian.org/security/2014/dsa-2982 http://openwall.com/lists/oss-security/2014/07/02/5 https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wDxePLJGZdI/WP7EasCJTA4J RedHat Security Advisories: RHSA-2014:0877 http://rhn.redhat.com/errata/RHSA-2014-0877.html http://secunia.com/advisories/59971 http://secunia.com/advisories/60214
Copyright	Copyright (C) 2022 Greenbone AG