Bug 854166 (CVE-2013-4492) - VUL-0: CVE-2013-4492: rubygem-i18n: missing translation XSS
Summary: VUL-0: CVE-2013-4492: rubygem-i18n: missing translation XSS
Status: RESOLVED FIXED
Alias: CVE-2013-4492
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle11-sp3:56403 maint:...
Keywords:
Depends on:
Blocks:
 
Reported: 2013-12-06 15:33 UTC by Alexander Bergmann
Modified: 2014-05-28 19:05 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
patch for i18n 0.6.x (3.33 KB, application/octet-stream)
2013-12-11 16:26 UTC, Jordi Massaguer 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2013-12-06 15:33:30 UTC 
bug#853625 references rubygem-i18n as the root cause of CVE-2013-4491.

...
The root cause of this issue is a vulnerability in the i18n gem which has been
assigned the identifier CVE-2013-4492. For this reason applications are also
not affected if they have upgraded to the following i18n versions: 
* i18n-0.6.6 for Rails 4.0.x and 3.2.x applications
* i18n-0.5.1 for Rails 3.1.x and 3.0.x applications
...

CVE-2013-4492 was assigned to this issue.
Comment 1 Swamp Workflow Management 2013-12-06 23:00:27 UTC 
bugbot adjusting priority
Comment 3 Jordi Massaguer 2013-12-11 16:26:51 UTC 
Created attachment 571366 [details]
patch for i18n 0.6.x
Comment 4 Jordi Massaguer 2013-12-11 16:44:29 UTC 
in i18n-0.4.x there is no "html_message" method in I18n::MissingTranslation thus it is not affected.
Comment 5 Bernhard Wiedemann 2013-12-11 18:00:41 UTC 
This is an autogenerated message for OBS integration:
This bug (854166) was mentioned in
https://build.opensuse.org/request/show/210589 12.3 / rubygem-i18n
https://build.opensuse.org/request/show/210590 13.1 / rubygem-i18n
https://build.opensuse.org/request/show/210591 12.2 / rubygem-i18n-0_6
Comment 7 Swamp Workflow Management 2013-12-23 14:05:35 UTC 
openSUSE-SU-2013:1930-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 854166
CVE References: CVE-2013-4492
Sources used:
openSUSE 13.1 (src):    rubygem-i18n-0.6.4-2.4.1
openSUSE 12.3 (src):    rubygem-i18n-0.6.1-2.4.1
openSUSE 12.2 (src):    rubygem-i18n-0_6-0.6.0-2.4.1
Comment 9 Swamp Workflow Management 2014-03-27 19:12:20 UTC 
Update released for: rubygem-i18n-0_6, rubygem-i18n-0_6-doc, rubygem-i18n-0_6-testsuite
Products:
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
Comment 10 Swamp Workflow Management 2014-03-27 23:04:22 UTC 
SUSE-SU-2014:0458-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 854166,855139,864873
CVE References: CVE-2013-4492
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    rubygem-i18n-0_6-0.6.0-0.8.1
Comment 12 Swamp Workflow Management 2014-05-28 15:23:09 UTC 
Update released for: rubygem-i18n-0_6, rubygem-i18n-0_6-doc, rubygem-i18n-0_6-testsuite
Products:
SLE-SLMS 1.3 (x86_64)
SLE-STUDIOONSITE 1.3 (x86_64)
SLE-WEBYAST 1.3 (i386, ia64, ppc64, s390x, x86_64)
Comment 13 Swamp Workflow Management 2014-05-28 19:05:43 UTC 
SUSE-SU-2014:0458-2: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 854166,855139,864873
CVE References: CVE-2013-4492
Sources used:
WebYaST 1.3 (src):    rubygem-i18n-0_6-0.6.0-0.8.1
SUSE Studio Onsite 1.3 (src):    rubygem-i18n-0_6-0.6.0-0.8.1
SUSE Lifecycle Management Server 1.3 (src):    rubygem-i18n-0_6-0.6.0-0.8.1