Fedora Local Security Checks : Fedora Core 9 FEDORA-2008-8322 (rubygem-activerecord)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.61690

Category: Fedora Local Security Checks

Title: Fedora Core 9 FEDORA-2008-8322 (rubygem-activerecord)

Summary: NOSUMMARY

Description: Description:

The remote host is missing an update to rubygem-activerecord
announced via advisory FEDORA-2008-8322.

Update Information:

Fixes CVE-2008-4094 (SQL injection in limit and offset clauses)
ChangeLog:

* Tue Sep 16 2008 David Lutterkort - 2.1.1-2
- New version (fixes CVE-2008-4094)
* Thu Jul 31 2008 Michael Stahnke - 2.1.0-1
- New Upstream

References:

[ 1 ] Bug #462302 - CVE-2008-4094 Security: rubygem-rails 2.1.1 is available, please update
https://bugzilla.redhat.com/show_bug.cgi?id=462302
[ 2 ] Bug #462303 - CVE-2008-4094 Security: rubygem-actionmailer 2.1.1 is available, please update
https://bugzilla.redhat.com/show_bug.cgi?id=462303
[ 3 ] Bug #462304 - CVE-2008-4094 Security: rubygem-actionpack 2.1.1 is available, please update
https://bugzilla.redhat.com/show_bug.cgi?id=462304
[ 4 ] Bug #462306 - CVE-2008-4094 Security: rubygem-activerecord 2.1.1 is available, please update
https://bugzilla.redhat.com/show_bug.cgi?id=462306
[ 5 ] Bug #462307 - CVE-2008-4094 Security: rubygem-activeresource 2.1.1 is available, please update
https://bugzilla.redhat.com/show_bug.cgi?id=462307
[ 6 ] Bug #462308 - CVE-2008-4094 Security: rubygem-activesupport 2.1.1 is available, please update
https://bugzilla.redhat.com/show_bug.cgi?id=462308

Solution: Apply the appropriate updates.

This update can be installed with the yum update program. Use
su -c 'yum update rubygem-activerecord' at the command line.
For more information, refer to Managing Software with yum,
available at http://docs.fedoraproject.org/yum/.

http://www.securityspace.com/smysecure/catid.html?in=FEDORA-2008-8322

Risk factor : High

CVSS Score:
7.5

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2008-4094
BugTraq ID: 31176
http://www.securityfocus.com/bid/31176
http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1
http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/
http://www.openwall.com/lists/oss-security/2008/09/13/2
http://www.openwall.com/lists/oss-security/2008/09/16/1
http://www.securitytracker.com/id?1020871
http://secunia.com/advisories/31875
http://secunia.com/advisories/31909
http://secunia.com/advisories/31910
SuSE Security Announcement: SUSE-SR:2008:027 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html
http://www.vupen.com/english/advisories/2008/2562
XForce ISS Database: rubyonrails-activerecord-sql-injection(45109)
https://exchange.xforce.ibmcloud.com/vulnerabilities/45109

Copyright Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.61690
Category:	Fedora Local Security Checks
Title:	Fedora Core 9 FEDORA-2008-8322 (rubygem-activerecord)
Summary:	NOSUMMARY
Description:	Description: The remote host is missing an update to rubygem-activerecord announced via advisory FEDORA-2008-8322. Update Information: Fixes CVE-2008-4094 (SQL injection in limit and offset clauses) ChangeLog: * Tue Sep 16 2008 David Lutterkort - 2.1.1-2 - New version (fixes CVE-2008-4094) * Thu Jul 31 2008 Michael Stahnke - 2.1.0-1 - New Upstream References: [ 1 ] Bug #462302 - CVE-2008-4094 Security: rubygem-rails 2.1.1 is available, please update https://bugzilla.redhat.com/show_bug.cgi?id=462302 [ 2 ] Bug #462303 - CVE-2008-4094 Security: rubygem-actionmailer 2.1.1 is available, please update https://bugzilla.redhat.com/show_bug.cgi?id=462303 [ 3 ] Bug #462304 - CVE-2008-4094 Security: rubygem-actionpack 2.1.1 is available, please update https://bugzilla.redhat.com/show_bug.cgi?id=462304 [ 4 ] Bug #462306 - CVE-2008-4094 Security: rubygem-activerecord 2.1.1 is available, please update https://bugzilla.redhat.com/show_bug.cgi?id=462306 [ 5 ] Bug #462307 - CVE-2008-4094 Security: rubygem-activeresource 2.1.1 is available, please update https://bugzilla.redhat.com/show_bug.cgi?id=462307 [ 6 ] Bug #462308 - CVE-2008-4094 Security: rubygem-activesupport 2.1.1 is available, please update https://bugzilla.redhat.com/show_bug.cgi?id=462308 Solution: Apply the appropriate updates. This update can be installed with the yum update program. Use su -c 'yum update rubygem-activerecord' at the command line. For more information, refer to Managing Software with yum, available at http://docs.fedoraproject.org/yum/. http://www.securityspace.com/smysecure/catid.html?in=FEDORA-2008-8322 Risk factor : High CVSS Score: 7.5
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2008-4094 BugTraq ID: 31176 http://www.securityfocus.com/bid/31176 http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1 http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/ http://www.openwall.com/lists/oss-security/2008/09/13/2 http://www.openwall.com/lists/oss-security/2008/09/16/1 http://www.securitytracker.com/id?1020871 http://secunia.com/advisories/31875 http://secunia.com/advisories/31909 http://secunia.com/advisories/31910 SuSE Security Announcement: SUSE-SR:2008:027 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html http://www.vupen.com/english/advisories/2008/2562 XForce ISS Database: rubyonrails-activerecord-sql-injection(45109) https://exchange.xforce.ibmcloud.com/vulnerabilities/45109
Copyright	Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com