update libextlib-ruby/ruby-extlib packages for CVE-2013-0156

Do you happen to know which version(s) of the library are impacted by this CVE?

0.9.15 and below. The maintainer released 0.9.16 with the fixes (in those commits).

I've confirmed Comment #2 with the person who committed the change upstream.

This bug affects all versions currently in Ubuntu. This package current exists in Lucid, Oneiric, and Precise, and is version 0.9.13-2 in each of those releases (synced from Debian)

This package does NOT exist in Hardy, Quantal, or Raring.

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Debdiff in Debian ticket:

http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=16;filename=ruby-extlib_0.9.15-2.1.debdiff;att=1;bug=697895

The same security announcement mentions the Rails actionpack package also being affected by the same bug. Again, all versions in Ubuntu currently are affected.

Raring ruby-activesupport-2.3 fixed in 2.3.14-5

Raring ruby-activesupport-3.2fixed in 3.2.6-5

Raring ruby-extlib fixed in 0.9.15-3

This should now be triaged for our packages based on Debian's https://security-tracker.debian.org/tracker/CVE-2013-0156. As Marc said, since the packages referred to in this bug is in universe or multiverse, it is community maintained. When a debdiffs are available, members of the security team will review them and publish the packages. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Note, people helping out with this bug may want to also look at bug #1100188.

This bug was fixed in the package ruby-activesupport-2.3 - 2.3.14-2ubuntu0.12.04.1

---------------
ruby-activesupport-2.3 (2.3.14-2ubuntu0.12.04.1) precise-security; urgency=low

  * SECURITY UPDATE: vulnerabilities in parameter parsing (LP: #1098357)
    - debian/patches/CVE-2013-0156.patch: added patch from Debian 2.3.14-5
    - CVE-2013-0156
 -- Marc Deslauriers <email address hidden> Fri, 18 Jan 2013 08:49:38 -0500

This bug was fixed in the package ruby-activesupport-2.3 - 2.3.14-4ubuntu0.1

---------------
ruby-activesupport-2.3 (2.3.14-4ubuntu0.1) quantal-security; urgency=low

  * SECURITY UPDATE: vulnerabilities in parameter parsing (LP: #1098357)
    - debian/patches/CVE-2013-0156.patch: added patch from Debian 2.3.14-5
    - CVE-2013-0156
 -- Marc Deslauriers <email address hidden> Fri, 18 Jan 2013 08:46:18 -0500

This bug was fixed in the package ruby-activesupport-2.3 - 2.3.14-2ubuntu0.11.10.1

---------------
ruby-activesupport-2.3 (2.3.14-2ubuntu0.11.10.1) oneiric-security; urgency=low

  * SECURITY UPDATE: vulnerabilities in parameter parsing (LP: #1098357)
    - debian/patches/CVE-2013-0156.patch: added patch from Debian 2.3.14-5
    - CVE-2013-0156
 -- Marc Deslauriers <email address hidden> Fri, 18 Jan 2013 08:49:38 -0500

This bug was fixed in the package ruby-activesupport-3.2 - 3.2.6-4ubuntu0.1

---------------
ruby-activesupport-3.2 (3.2.6-4ubuntu0.1) quantal-security; urgency=low

  * SECURITY UPDATE: vulnerabilities in parameter parsing (LP: #1098357)
    - debian/patches/CVE-2013-0156.patch: added patch from Debian 3.2.6-5
    - CVE-2013-0156
 -- Marc Deslauriers <email address hidden> Fri, 18 Jan 2013 08:43:58 -0500

This bug was fixed in the package ruby-extlib - 0.9.15-2ubuntu0.1

---------------
ruby-extlib (0.9.15-2ubuntu0.1) quantal-security; urgency=low

  * SECURITY UPDATE: XML parser symbol and YAML coercion (LP: #1098357)
    - Add upstream patches 633974b2759d9b92 and 4540e7102b803624 as has
      been done in Debian 0.9.15-3.
    - CVE-2013-0156
 -- Marc Deslauriers <email address hidden> Fri, 18 Jan 2013 08:58:08 -0500

Thank you for reporting this bug to Ubuntu. hardy has reached EOL
(End of Life) for this package and is no longer supported. As
a result, this bug against hardy is being marked "Won't Fix".
Please see https://wiki.ubuntu.com/Releases for currently
supported Ubuntu releases.

Please feel free to report any other bugs you may find.

Thank you for reporting this bug to Ubuntu. oneiric has reached EOL
(End of Life) for this package and is no longer supported. As
a result, this bug against oneiric is being marked "Won't Fix".
Please see https://wiki.ubuntu.com/Releases for currently
supported Ubuntu releases.

Please feel free to report any other bugs you may find.

Ubuntu 10.04 (Lucid) is no longer supported. Marking as Won't Fix.

I've synced the libextlib-ruby package from Debian's squeeze-lts archive to fix this issue in Ubuntu 12.04. The fixed libextlib-ruby version in Ubuntu 12.04 is 0.9.13-2+deb6u1build0.12.04.1

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".