Ubuntu
rails package

all versions of rails are vunerable to CVE-2009-3009

Bug #425988 reported by Łukasz Stelmach
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
rails (Ubuntu)
Fix Released
Medium
Unassigned
Dapper
Won't Fix
Medium
Unassigned
Hardy
Won't Fix
Medium
Unassigned
Intrepid
Invalid
Medium
Unassigned
Jaunty
Won't Fix
Medium
Unassigned

Bug Description

Binary package hint: rails

A very serious rails vulnerability CVE-2009-3009 has been disclosed four days ago. Unpatched rails does not prevent XSS crafted with invalid UTF-8 chars. See details at [1] and [2].

[1]http://groups.google.com/group/rubyonrails-security/msg/7f57cd7794e1d1b4
[2]http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails

CVE References

Kees Cook (kees)
visibility: private → public
Changed in rails (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Scott Kitterman (kitterman) wrote :

Fixed in Karmic:

 rails (2.2.3-1) unstable; urgency=high
 .
   * New upstream release (closes: #545063)
     + Fixes XSS security hole [CVE-2009-3009]
     + Fixes timing issue with cookie store [CVE-2009-3086]
   * Remove dependency on ruby-dbi, as it is not required by any of the
     sources.
   * Correct dependency on fixed libxml-simple-ruby to 1.0.11-2 or later
     (closes: #538982)
   * debian/control
     + Change section from web to ruby
     + Updated to debhelper 7.0+
     + Standards updated to 3.8.3 - no changes

Changed in rails (Ubuntu):
status: Confirmed → Fix Released
Changed in rails (Ubuntu Dapper):
status: New → Confirmed
Changed in rails (Ubuntu Hardy):
status: New → Confirmed
Changed in rails (Ubuntu Intrepid):
status: New → Confirmed
Changed in rails (Ubuntu Dapper):
importance: Undecided → Medium
Changed in rails (Ubuntu Jaunty):
status: New → Confirmed
importance: Undecided → Medium
Changed in rails (Ubuntu Intrepid):
importance: Undecided → Medium
Changed in rails (Ubuntu Hardy):
importance: Undecided → Medium
Revision history for this message
Łukasz Stelmach (steelman) wrote :

Is there going to be a fix for Jaunty? The patch for 2.1.x is available upstream.

Revision history for this message
Alex Valavanis (valavanisalex) wrote :

Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the report. The bug has been fixed in newer releases of Ubuntu.

Changed in rails (Ubuntu Intrepid):
status: Confirmed → Invalid
Revision history for this message
Alex Valavanis (valavanisalex) wrote :

Jaunty reached end-of-life on 23 October 2010. The bug is marked as fixed in later versions of Ubuntu

Changed in rails (Ubuntu Jaunty):
status: Confirmed → Won't Fix
Jamie Strandboge (jdstrand)
Changed in rails (Ubuntu Dapper):
status: Confirmed → Won't Fix
Changed in rails (Ubuntu Hardy):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.