CVE-2013-1854

NameCVE-2013-1854
DescriptionThe Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
ReferencesDSA-2655-1
NVD severitymedium (attack range: remote)
Debian Bugs703348
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rails (PTS)squeeze (security), squeeze2.3.5-1.2+squeeze8fixed
wheezy2:2.3.14.2fixed
jessie, sid2:4.1.8-1fixed
ruby-activerecord-2.3 (PTS)wheezy2.3.14-6fixed
ruby-activerecord-3.2 (PTS)wheezy, wheezy (security)3.2.6-5+deb7u1fixed
ruby-activesupport-2.3 (PTS)wheezy2.3.14-7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
railssource(unstable)2.3.14.1medium
railssourcesqueeze2.3.5-1.2+squeeze8mediumDSA-2655-1
ruby-activerecord-2.3source(unstable)2.3.14-6medium
ruby-activerecord-3.2source(unstable)3.2.6-5medium703348
ruby-activesupport-2.3source(unstable)2.3.14-7medium

Notes

Starting with 2.3.14.1 rails is a transition package

Search for package or bug name: Reporting problems