Bug 1065517 (CVE-2014-0080)
Summary: | CVE-2014-0080 rubygem-activerecord: PostgreSQL array data injection vulnerability | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED NOTABUG | QA Contact: | |||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | unspecified | CC: | bgollahe, drieden, jstribny, mmaslano, nobody+bgollahe, security-response-team, tdawson, tkramer | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | rubygem-activerecord 4.0.3, rubygem-activerecord 4.1.0.beta2 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2014-02-18 20:56:55 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 1065585, 1066671 | ||||||||
Bug Blocks: | 1065543 | ||||||||
Attachments: |
|
Description
Kurt Seifried
2014-02-14 20:36:27 UTC
Created attachment 863434 [details]
4-0-array_injection.patch
Created attachment 863435 [details]
4-1-beta-array_injection.patch
Acknowledgement: Red Hat would like to thank the Ruby on Rails Project for reporting this issue. Upstream acknowledges Godfrey Chan as the original reporter. Statement: Not vulnerable. This issue did not affect the versions of rubygem-activerecord as shipped with CloudForms, OpenShift Enterprise 1 and 2, Red Hat Enterprise Linux OpenStack Platform 3 and 4, Red Hat Software Collections 1 and Subscription Asset Manager as they did not include the vulnerable code. Created rubygem-activerecord tracking bugs for this issue: Affects: fedora-20 [bug 1066671] Fixed upstream in 4.0.3, and 4.1.0.beta2: http://weblog.rubyonrails.org/2014/2/18/Rails_3_2_17_4_0_3_and_4_1_0_beta2_have_been_released/ https://groups.google.com/forum/#!topic/ruby-security-ann/S8FleL3IXPs Upstream commits (4.0 and master): https://github.com/rails/rails/commit/3eaea655a506ed035fab3d143aa918958cf52405 https://github.com/rails/rails/commit/6256b1de9a2d968b0d123ad6a09b33de01019ae6 rubygem-activerecord-4.0.0-2.fc20, rubygem-actionpack-4.0.0-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. |