Mageia Linux Local Security Checks : Mageia: Security Advisory (MGASA-2014-0191)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.1.10.2014.0191

Category: Mageia Linux Local Security Checks

Title: Mageia: Security Advisory (MGASA-2014-0191)

Summary: The remote host is missing an update for the 'ruby-actionmailer, ruby-actionpack, ruby-activemodel, ruby-activerecord, ruby-activesupport, ruby-rails, ruby-railties' package(s) announced via the MGASA-2014-0191 advisory.

Description: Summary:
The remote host is missing an update for the 'ruby-actionmailer, ruby-actionpack, ruby-activemodel, ruby-activerecord, ruby-activesupport, ruby-rails, ruby-railties' package(s) announced via the MGASA-2014-0191 advisory.

Vulnerability Insight:
Updated ruby-activerecord and ruby-actionpack packages fix security
vulnerabilities:

There is a data injection vulnerability in Active Record. Specially crafted
strings can be used to save data in PostgreSQL array columns that may not be
intended (CVE-2014-0080).

There is an XSS vulnerability in the number_to_currency, number_to_percentage
and number_to_human helpers in Ruby on Rails (CVE-2014-0081).

The associated packages have been updated to version 4.0.3 to fix these
issues.

Affected Software/OS:
'ruby-actionmailer, ruby-actionpack, ruby-activemodel, ruby-activerecord, ruby-activesupport, ruby-rails, ruby-railties' package(s) on Mageia 4.

Solution:
Please install the updated package(s).

CVSS Score:
6.8

CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2014-0080
http://openwall.com/lists/oss-security/2014/02/18/9
https://groups.google.com/forum/message/raw?msg=rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ
Common Vulnerability Exposure (CVE) ID: CVE-2014-0081
BugTraq ID: 65647
http://www.securityfocus.com/bid/65647
http://openwall.com/lists/oss-security/2014/02/18/8
https://groups.google.com/forum/message/raw?msg=rubyonrails-security/tfp6gZCtzr4/j8LUHmu7fIEJ
RedHat Security Advisories: RHSA-2014:0215
http://rhn.redhat.com/errata/RHSA-2014-0215.html
RedHat Security Advisories: RHSA-2014:0306
http://rhn.redhat.com/errata/RHSA-2014-0306.html
http://www.securitytracker.com/id/1029782
http://secunia.com/advisories/57376
SuSE Security Announcement: openSUSE-SU-2014:0295 (Google Search)
http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html

Copyright Copyright (C) 2022 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.1.10.2014.0191
Category:	Mageia Linux Local Security Checks
Title:	Mageia: Security Advisory (MGASA-2014-0191)
Summary:	The remote host is missing an update for the 'ruby-actionmailer, ruby-actionpack, ruby-activemodel, ruby-activerecord, ruby-activesupport, ruby-rails, ruby-railties' package(s) announced via the MGASA-2014-0191 advisory.
Description:	Summary: The remote host is missing an update for the 'ruby-actionmailer, ruby-actionpack, ruby-activemodel, ruby-activerecord, ruby-activesupport, ruby-rails, ruby-railties' package(s) announced via the MGASA-2014-0191 advisory. Vulnerability Insight: Updated ruby-activerecord and ruby-actionpack packages fix security vulnerabilities: There is a data injection vulnerability in Active Record. Specially crafted strings can be used to save data in PostgreSQL array columns that may not be intended (CVE-2014-0080). There is an XSS vulnerability in the number_to_currency, number_to_percentage and number_to_human helpers in Ruby on Rails (CVE-2014-0081). The associated packages have been updated to version 4.0.3 to fix these issues. Affected Software/OS: 'ruby-actionmailer, ruby-actionpack, ruby-activemodel, ruby-activerecord, ruby-activesupport, ruby-rails, ruby-railties' package(s) on Mageia 4. Solution: Please install the updated package(s). CVSS Score: 6.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2014-0080 http://openwall.com/lists/oss-security/2014/02/18/9 https://groups.google.com/forum/message/raw?msg=rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ Common Vulnerability Exposure (CVE) ID: CVE-2014-0081 BugTraq ID: 65647 http://www.securityfocus.com/bid/65647 http://openwall.com/lists/oss-security/2014/02/18/8 https://groups.google.com/forum/message/raw?msg=rubyonrails-security/tfp6gZCtzr4/j8LUHmu7fIEJ RedHat Security Advisories: RHSA-2014:0215 http://rhn.redhat.com/errata/RHSA-2014-0215.html RedHat Security Advisories: RHSA-2014:0306 http://rhn.redhat.com/errata/RHSA-2014-0306.html http://www.securitytracker.com/id/1029782 http://secunia.com/advisories/57376 SuSE Security Announcement: openSUSE-SU-2014:0295 (Google Search) http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html
Copyright	Copyright (C) 2022 Greenbone AG