Bug 462308

Summary: CVE-2008-4094 Security: rubygem-activesupport 2.1.1 is available, please update
Product: [Fedora] Fedora Reporter: Robert Scheck <redhat-bugzilla>
Component: rubygem-activesupportAssignee: David Lutterkort <lutter>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: hbrock, jlieskov, mastahnke, security-response-team, sseago
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-09-28 18:38:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robert Scheck 2008-09-15 09:30:14 UTC
Description of problem:
rubygem-activesupport 2.1.1 is available and fixes a security issue, please
update on all active branches; especially the EPEL ones. And for me it seems
to work everywhere.

Version-Release number of selected component (if applicable):
rubygem-activesupport-2.1.0-1

Expected results:
rubygem-activesupport-2.1.1-1 or newer on all active branches.

Additional info:
http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1
http://rails.lighthouseapp.com/projects/8994/tickets/964-fix-for-sql-injection-on-limit-and-offset-should-be-backported
http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/

Comment 1 Jan Lieskovsky 2008-09-15 10:42:45 UTC
Other references:

http://rails.lighthouseapp.com/projects/8994/tickets/288

Proposed patch:

http://rails.lighthouseapp.com/attachments/25290/0001-adding-sql-injection-fixes-for-limit-and-offset.patch

This issue affects all versions of rubygem-activesupport package, as shipped
within Fedora releases of 8, 9 and 10 and within the Extra Packages
for Enterprise Linux (EPEL) project.

Comment 2 Fedora Update System 2008-09-16 21:54:21 UTC
rubygem-activesupport-2.1.1-1.fc9,rubygem-activerecord-2.1.1-1.fc9,rubygem-actionpack-2.1.1-1.fc9,rubygem-actionmailer-2.1.1-1.fc9,rubygem-activeresource-2.1.1-1.fc9,rubygem-rails-2.1.1-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/rubygem-activesupport-2.1.1-1.fc9,rubygem-activerecord-2.1.1-1.fc9,rubygem-actionpack-2.1.1-1.fc9,rubygem-actionmailer-2.1.1-1.fc9,rubygem-activeresource-2.1.1-1.fc9,rubygem-rails-2.1.1-1.fc9

Comment 3 Fedora Update System 2008-09-16 23:36:46 UTC
rubygems-1.2.0-2.fc8,rubygem-activesupport-2.1.1-1.fc8,rubygem-activerecord-2.1.1-1.fc8,rubygem-actionpack-2.1.1-1.fc8,rubygem-actionmailer-2.1.1-1.fc8,rubygem-activeresource-2.1.1-1.fc8,rubygem-rails-2.1.1-2.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/rubygems-1.2.0-2.fc8,rubygem-activesupport-2.1.1-1.fc8,rubygem-activerecord-2.1.1-1.fc8,rubygem-actionpack-2.1.1-1.fc8,rubygem-actionmailer-2.1.1-1.fc8,rubygem-activeresource-2.1.1-1.fc8,rubygem-rails-2.1.1-2.fc8

Comment 4 Fedora Update System 2008-09-25 00:16:43 UTC
rubygems-1.2.0-2.fc8, rubygem-activesupport-2.1.1-1.fc8, rubygem-activerecord-2.1.1-1.fc8, rubygem-actionpack-2.1.1-1.fc8, rubygem-actionmailer-2.1.1-1.fc8, rubygem-activeresource-2.1.1-1.fc8, rubygem-rails-2.1.1-2.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update rubygems rubygem-activesupport rubygem-activerecord rubygem-actionpack rubygem-actionmailer rubygem-activeresource rubygem-rails'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-8282

Comment 5 Fedora Update System 2008-09-25 00:22:39 UTC
rubygem-activesupport-2.1.1-1.fc9, rubygem-activerecord-2.1.1-1.fc9, rubygem-actionpack-2.1.1-1.fc9, rubygem-actionmailer-2.1.1-1.fc9, rubygem-activeresource-2.1.1-1.fc9, rubygems-1.2.0-2.fc9, rubygem-rails-2.1.1-2.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update rubygem-activesupport rubygem-activerecord rubygem-actionpack rubygem-actionmailer rubygem-activeresource rubygems rubygem-rails'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-8322

Comment 6 Fedora Update System 2008-09-28 18:38:16 UTC
rubygem-activesupport-2.1.1-1.fc9, rubygem-activerecord-2.1.1-1.fc9, rubygem-actionpack-2.1.1-1.fc9, rubygem-actionmailer-2.1.1-1.fc9, rubygem-activeresource-2.1.1-1.fc9, rubygems-1.2.0-2.fc9, rubygem-rails-2.1.1-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2008-10-16 02:02:04 UTC
rubygems-1.2.0-2.fc8, rubygem-activesupport-2.1.1-1.fc8, rubygem-activerecord-2.1.1-1.fc8, rubygem-actionpack-2.1.1-1.fc8, rubygem-actionmailer-2.1.1-1.fc8, rubygem-activeresource-2.1.1-1.fc8, rubygem-rails-2.1.1-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.