|
|
Family: Gentoo Local Security Checks --> Category: infos
[GLSA-200608-20] Ruby on Rails: Several vulnerabilities Vulnerability Scan
Vulnerability Scan Summary
Ruby on Rails: Several vulnerabilities
Detailed Explanation for this Vulnerability Test
The remote host is affected by the vulnerability described in GLSA-200608-20
(Ruby on Rails: Several vulnerabilities)
The Ruby on Rails developers have corrected some weaknesses in
action_controller/, relative to the handling of the user input and the
LOAD_PATH variable. A remote attacker could inject arbitrary entries
into the LOAD_PATH variable and alter the main Ruby on Rails process.
The security hole has only been partly solved in version 1.1.5. Version
1.1.6 now fully corrects it.
Impact
A remote attacker that would exploit these weaknesses might cause a
Denial of Service of the web framework and maybe inject arbitrary Ruby
scripts.
Workaround
There is no known workaround at this time.
References:
http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits
http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure
Solution:
All Ruby on Rails users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-ruby/rails-1.1.6"
Threat Level: High
Click HERE for more information and discussions on this network vulnerability scan.
|
