GLSA-201412-28 : Ruby on Rails: Multiple vulnerabilities

This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.


Synopsis :

The remote Gentoo host is missing one or more security-related
patches.

Description :

The remote host is affected by the vulnerability described in GLSA-201412-28
(Ruby on Rails: Multiple vulnerabilities)

Multiple vulnerabilities have been discovered in Ruby on Rails. Please
review the CVE identifiers referenced below for details.

Impact :

A remote attacker could execute arbitrary code or cause a Denial of
Service condition. Furthermore, a remote attacker may be able to execute
arbitrary SQL commands, change parameter names for form inputs and make
changes to arbitrary records in the system, bypass intended access
restrictions, render arbitrary views, inject arbitrary web script or
HTML, or conduct cross-site request forgery (CSRF) attacks.

Workaround :

There is no known workaround at this time.

See also :

https://security.gentoo.org/glsa/201412-28

Solution :

All Ruby on Rails 2.x users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=dev-ruby/rails-2.3.18'
NOTE: All applications using Ruby on Rails should also be configured to
use the latest version available by running “rake rails:update”
inside the application directory.
NOTE: This is a legacy GLSA and stable updates for Ruby on Rails,
including the unaffected version listed above, are no longer available
from Gentoo. It may be possible to upgrade to the 3.2, 4.0, or 4.1
branches, however these packages are not currently stable.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true