Bug 856831 (CVE-2013-6459) - VUL-0: CVE-2013-6459: rubygem-will_paginate: XSS vulnerabilities
Summary: VUL-0: CVE-2013-6459: rubygem-will_paginate: XSS vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2013-6459
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2014-01-29
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle11-sp2:55873
Keywords:
Depends on:
Blocks:
 
Reported: 2013-12-27 08:36 UTC by Marcus Meissner
Modified: 2014-03-13 16:19 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
patch from upstream (1.93 KB, patch)
2014-01-10 10:26 UTC, Jordi Massaguer 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-12-27 08:36:36 UTC 
via oss-sec

CVE-2013-6459

https://bugzilla.redhat.com/show_bug.cgi?id=1046642

Cross-Site Scripting (XSS) vulnerabilities were found in will_paginate 
gem for Ruby, where certain input related to generated pagination links 
were not properly sanitised before being returned. This could be 
exploited to execute arbitrary HTML and script code in a user's browser 
session in context of an affected site.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6459
https://bugzilla.redhat.com/show_bug.cgi?id=1046642
http://comments.gmane.org/gmane.comp.security.oss.general/11747
Comment 1 Marcus Meissner 2013-12-27 08:37:50 UTC 
so far used by SLMS as far as I see.

does it get user input there? if yes, we should update.
Comment 2 Swamp Workflow Management 2013-12-27 23:00:22 UTC 
bugbot adjusting priority
Comment 3 Jordi Massaguer 2014-01-10 10:26:23 UTC 
Created attachment 573969 [details]
patch from upstream
Comment 6 Jordi Massaguer 2014-01-10 10:55:26 UTC 
@jreidinger: can you please provide us with some info on https://bugzilla.novell.com/show_bug.cgi?id=856831#c1
Comment 7 Jordi Massaguer 2014-01-10 11:12:06 UTC 
@jreidinger: I have the packages ready. Should I submit them?
Comment 8 Josef Reidinger 2014-01-10 11:43:42 UTC 
yes, we use such input. But it is only after login, so risk is not critical
Comment 10 Swamp Workflow Management 2014-01-15 15:43:29 UTC 
The SWAMPID for this issue is 55872.
This issue was rated as moderate.
Please submit fixed packages until 2014-01-29.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 11 Jordi Massaguer 2014-01-15 16:44:40 UTC 
Packages submited and bug reassigned.
Comment 12 Swamp Workflow Management 2014-01-30 17:46:35 UTC 
Update released for: rubygem-will_paginate, rubygem-will_paginate-doc, rubygem-will_paginate-testsuite
Products:
SLE-SLMS 1.3 (x86_64)
Comment 13 Swamp Workflow Management 2014-01-30 21:04:26 UTC 
SUSE-SU-2014:0161-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 856831
CVE References: CVE-2013-6459
Sources used:
SUSE Lifecycle Management Server 1.3 (src):    rubygem-will_paginate-3.0.3-0.9.1
Comment 14 Marcus Meissner 2014-03-13 16:19:21 UTC 
released