oss-sec mailing list archives
Re: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664)
From: Seth Arnold <seth.arnold () canonical com>
Date: Thu, 3 Jan 2013 12:47:59 -0800
On Thu, Jan 03, 2013 at 05:43:46PM +0100, Carlos Alberto Lopez Perez wrote:
On 03/01/13 13:30, Carlos Alberto Lopez Perez wrote:CVE-2012-5664 literally says:
And both Debian and Ubuntu have marked this CVE as NOT-FOR-US because of this (they don't ship Authlogic gem).So I think the description for CVE-2012-5664 is incorrect and should be amended ASAP. Otherwise it will lead to confusion. People not using Authlogic would believe (wrongly) that they are not affected.
Thank you for the clarifying email and link to the very useful blog post. I had indeed said NOT-FOR-US because we don't ship authlogic, but we certainly do ship Active Record. I've updated Ubuntu's triage data.
http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts
Thanks!
Attachment:
signature.asc
Description: Digital signature
Current thread:
- SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664) Aaron Patterson (Jan 02)
- Re: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664) Carlos Alberto Lopez Perez (Jan 03)
- Re: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664) Carlos Alberto Lopez Perez (Jan 03)
- Re: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664) Seth Arnold (Jan 03)
- Re: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664) cve-assign (Jan 03)
- Re: Re: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664) Seth Arnold (Jan 04)
- Re: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664) Carlos Alberto Lopez Perez (Jan 03)
- Re: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664) Carlos Alberto Lopez Perez (Jan 03)