LISTSERV 16.0 - MSUNAG Archives

If you haven't seen it yet, there is a security issue. Here's what SANS 
says at
https://isc.sans.edu/diary/SQL+Injection+Flaw+in+Ruby+on+Rails/14866


      SQL Injection Flaw in Ruby on Rails
      <https://isc.sans.edu/diary/SQL+Injection+Flaw+in+Ruby+on+Rails/14866>

Published: 2013-01-09,
Last Updated: 2013-01-09 15:37:46 UTC
by Rob VandenBrink (Version: 2)

0 comment(s) <https://isc.sans.edu/diary.html?storyid=14866#comment>

A SQL Injection Flaw (CVE-2012-5664) was announced last week (Jan 2) in 
Ruby on Rails, but I think we missed reporting on it (thanks to one of 
our readers for pointing this out).  Updates that resolve this are: 
3.2.10, 3.1.9, and 3.0.18

Because of the security profile of Ruby on Rails (the largest Ruby 
project around is one you should be familiar with - Metasploit), any 
security issues should be taken seriously.  However, the hype and hoopla 
that any site with RoR code on it is vulnerable is just that - the 
vulnerability being discussed is very specific in nature, but folks hear 
"sql injection" and (mistakenly as far as I can see) send it to the 
headline page.

A very complete explanation of the scenarios that are at issue are 
outlined in this here:
https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM 
<https://groups.google.com/forum/?fromgroups=#%21topic/rubyonrails-security/DCNTNp_qjFM>
and here:
http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/

Additional issues (CVE-2013-0155 and CVE-2013-0156) are resolved in 
these new releases also.

*Update:*

Thanks Ariel for pointing out that they've updated the original patch 
(just yesterday) with new RoR versions 3.2.11, 3.1.10, 3.0.19, and 
2.3.15.  All previous versions should be considered vulnerable.  They're 
also ratcheting up the urgency in the language around this issue - 
perhaps there's a bit more of a problem here than originally thought?

You can follow the official revision history at: 
http://weblog.rubyonrails.org/releases/

===============
Rob VandenBrink
Metafore





-- 
Gene Willacker, PCIP, PCI ISA
PCI Compliance Officer
Controller's Office
110 Administration Building
Michigan State University
517-884-4110