Bug 462306 (CVE-2008-4094) - CVE-2008-4094 Security: rubygem-activerecord 2.1.1 is available, please update
Summary: CVE-2008-4094 Security: rubygem-activerecord 2.1.1 is available, please update
Keywords:
Status: CLOSED NEXTRELEASE
Alias: CVE-2008-4094
Product: Fedora
Classification: Fedora
Component: rubygem-activerecord
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: David Lutterkort
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-09-15 09:19 UTC by Robert Scheck
Modified: 2013-04-30 23:40 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-09-28 18:38:27 UTC


Attachments (Terms of Use)

Description Robert Scheck 2008-09-15 09:19:01 UTC
Description of problem:
rubygem-activerecord 2.1.1 is available and fixes a security issue, please
update on all active branches; especially the EPEL ones. And for me it seems
to work everywhere.

Version-Release number of selected component (if applicable):
rubygem-activerecord-2.1.0-1

Expected results:
rubygem-activerecord-2.1.1-1 or newer on all active branches.

Additional info:
http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1
http://rails.lighthouseapp.com/projects/8994/tickets/964-fix-for-sql-injection-on-limit-and-offset-should-be-backported
http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/

Comment 1 Jan Lieskovsky 2008-09-15 10:42:08 UTC
Other references:

http://rails.lighthouseapp.com/projects/8994/tickets/288

Proposed patch:

http://rails.lighthouseapp.com/attachments/25290/0001-adding-sql-injection-fixes-for-limit-and-offset.patch

This issue affects all versions of rubygem-activerecord package, as shipped
within Fedora releases of 8, 9 and 10 and within the Extra Packages
for Enterprise Linux (EPEL) project.

Comment 2 Fedora Update System 2008-09-16 21:54:15 UTC
rubygem-activesupport-2.1.1-1.fc9,rubygem-activerecord-2.1.1-1.fc9,rubygem-actionpack-2.1.1-1.fc9,rubygem-actionmailer-2.1.1-1.fc9,rubygem-activeresource-2.1.1-1.fc9,rubygem-rails-2.1.1-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/rubygem-activesupport-2.1.1-1.fc9,rubygem-activerecord-2.1.1-1.fc9,rubygem-actionpack-2.1.1-1.fc9,rubygem-actionmailer-2.1.1-1.fc9,rubygem-activeresource-2.1.1-1.fc9,rubygem-rails-2.1.1-1.fc9

Comment 3 Fedora Update System 2008-09-16 23:36:40 UTC
rubygems-1.2.0-2.fc8,rubygem-activesupport-2.1.1-1.fc8,rubygem-activerecord-2.1.1-1.fc8,rubygem-actionpack-2.1.1-1.fc8,rubygem-actionmailer-2.1.1-1.fc8,rubygem-activeresource-2.1.1-1.fc8,rubygem-rails-2.1.1-2.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/rubygems-1.2.0-2.fc8,rubygem-activesupport-2.1.1-1.fc8,rubygem-activerecord-2.1.1-1.fc8,rubygem-actionpack-2.1.1-1.fc8,rubygem-actionmailer-2.1.1-1.fc8,rubygem-activeresource-2.1.1-1.fc8,rubygem-rails-2.1.1-2.fc8

Comment 4 Fedora Update System 2008-09-25 00:16:37 UTC
rubygems-1.2.0-2.fc8, rubygem-activesupport-2.1.1-1.fc8, rubygem-activerecord-2.1.1-1.fc8, rubygem-actionpack-2.1.1-1.fc8, rubygem-actionmailer-2.1.1-1.fc8, rubygem-activeresource-2.1.1-1.fc8, rubygem-rails-2.1.1-2.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update rubygems rubygem-activesupport rubygem-activerecord rubygem-actionpack rubygem-actionmailer rubygem-activeresource rubygem-rails'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-8282

Comment 5 Fedora Update System 2008-09-25 00:22:33 UTC
rubygem-activesupport-2.1.1-1.fc9, rubygem-activerecord-2.1.1-1.fc9, rubygem-actionpack-2.1.1-1.fc9, rubygem-actionmailer-2.1.1-1.fc9, rubygem-activeresource-2.1.1-1.fc9, rubygems-1.2.0-2.fc9, rubygem-rails-2.1.1-2.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update rubygem-activesupport rubygem-activerecord rubygem-actionpack rubygem-actionmailer rubygem-activeresource rubygems rubygem-rails'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-8322

Comment 6 Fedora Update System 2008-09-28 18:38:11 UTC
rubygem-activesupport-2.1.1-1.fc9, rubygem-activerecord-2.1.1-1.fc9, rubygem-actionpack-2.1.1-1.fc9, rubygem-actionmailer-2.1.1-1.fc9, rubygem-activeresource-2.1.1-1.fc9, rubygems-1.2.0-2.fc9, rubygem-rails-2.1.1-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2008-10-16 02:01:59 UTC
rubygems-1.2.0-2.fc8, rubygem-activesupport-2.1.1-1.fc8, rubygem-activerecord-2.1.1-1.fc8, rubygem-actionpack-2.1.1-1.fc8, rubygem-actionmailer-2.1.1-1.fc8, rubygem-activeresource-2.1.1-1.fc8, rubygem-rails-2.1.1-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.