|Category:||Debian Local Security Checks|
|Title:||Debian Security Advisory DSA 2613-1 (rails - insufficient input validation)|
|Summary:||Lawrence Pit discovered that Ruby on Rails, a web development framework,;is vulnerable to a flaw in the parsing of JSON to YAML. Using a specially;crafted payload attackers can trick the backend into decoding a subset of;YAML.;;The vulnerability has been addressed by removing the YAML backend and;adding the OkJson backend.|
Lawrence Pit discovered that Ruby on Rails, a web development framework,
is vulnerable to a flaw in the parsing of JSON to YAML. Using a specially
crafted payload attackers can trick the backend into decoding a subset of
The vulnerability has been addressed by removing the YAML backend and
adding the OkJson backend.
rails on Debian Linux
For the stable distribution (squeeze), this problem has been fixed in
For the testing distribution (wheezy), this problem will be fixed soon.
For the unstable distribution (sid), this problem has been fixed in
version 2.3.14-6 of the ruby-activesupport-2.3 package.
The 3.2 version of rails as found in Debian wheezy and sid is not
affected by the problem.
We recommend that you upgrade your rails packages.
Common Vulnerability Exposure (CVE) ID: CVE-2013-0333|
CERT/CC vulnerability note: VU#628463
Debian Security Information: DSA-2613 (Google Search)
RedHat Security Advisories: RHSA-2013:0201
RedHat Security Advisories: RHSA-2013:0202
RedHat Security Advisories: RHSA-2013:0203
|Copyright||Copyright (C) 2013 Greenbone Networks GmbH http://greenbone.net|
|This is only one of 86218 vulnerability tests in our test suite. Find out more about running a complete security audit.|
To run a free test of this vulnerability against your system, register below.