Bug 876714 (CVE-2014-0130) - VUL-0: CVE-2014-0130: rubygem-actionpack: directory traversal issue
Summary: VUL-0: CVE-2014-0130: rubygem-actionpack: directory traversal issue
Status: RESOLVED FIXED
Alias: CVE-2014-0130
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/98617/
Whiteboard: maint:running:57474:moderate maint:r...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-05-07 11:30 UTC by Sebastian Krahmer
Modified: 2015-07-23 09:31 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
patch for 3.2.x (5.04 KB, patch)
2014-05-16 18:01 UTC, Jordi Massaguer 		Details | Diff
proposal fix for 2.3 (647 bytes, patch)
2014-05-23 14:45 UTC, Jordi Massaguer 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Swamp Workflow Management 2014-05-07 22:00:19 UTC 
bugbot adjusting priority
Comment 7 Jordi Massaguer 2014-05-16 18:01:32 UTC 
Created attachment 590629 [details]
patch for 3.2.x
Comment 10 SMASH SMASH 2014-05-19 07:50:11 UTC 
Affected packages:

SLE-11-SP3: rubygem-rails
SLE-10-SP3-TERADATA: rubygem-actionpack
Comment 13 Bernhard Wiedemann 2014-05-19 16:01:11 UTC 
This is an autogenerated message for OBS integration:
This bug (876714) was mentioned in
https://build.opensuse.org/request/show/234738 12.3 / rubygem-actionpack-3_2
https://build.opensuse.org/request/show/234739 13.1 / rubygem-actionpack-3_2
Comment 14 Sebastian Krahmer 2014-05-20 05:56:42 UTC 
MaintenanceTracker-57474
Comment 17 Jordi Massaguer 2014-05-23 14:45:39 UTC 
Created attachment 591874 [details]
proposal fix for 2.3
Comment 18 Jordi Massaguer 2014-05-23 14:46:19 UTC 
I've attached a proposal for fixing 2.3. However I am having some difficulties to setup a test environment.
Comment 21 Swamp Workflow Management 2014-05-28 09:04:24 UTC 
openSUSE-SU-2014:0718-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 876714
CVE References: CVE-2014-0130
Sources used:
openSUSE 13.1 (src):    rubygem-actionpack-3_2-3.2.13-2.24.1
Comment 22 Swamp Workflow Management 2014-05-28 09:04:52 UTC 
openSUSE-SU-2014:0720-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 876714
CVE References: CVE-2014-0130
Sources used:
openSUSE 12.3 (src):    rubygem-actionpack-3_2-3.2.12-1.28.1
Comment 24 Swamp Workflow Management 2014-06-04 20:54:21 UTC 
Update released for: rubygem-actionpack-3_2, rubygem-actionpack-3_2-doc
Products:
SLE-SLMS 1.3 (x86_64)
SLE-STUDIOONSITE 1.3 (x86_64)
SLE-WEBYAST 1.3 (i386, ia64, ppc64, s390x, x86_64)
Comment 25 Swamp Workflow Management 2014-06-05 00:05:00 UTC 
SUSE-SU-2014:0756-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 864431,864433,864873,876714
CVE References: CVE-2014-0081,CVE-2014-0082,CVE-2014-0130
Sources used:
WebYaST 1.3 (src):    rubygem-actionpack-3_2-3.2.12-0.15.1
SUSE Studio Onsite 1.3 (src):    rubygem-actionpack-3_2-3.2.12-0.15.1
SUSE Lifecycle Management Server 1.3 (src):    rubygem-actionpack-3_2-3.2.12-0.15.1
Comment 26 Swamp Workflow Management 2014-06-16 19:46:00 UTC 
Update released for: rubygem-actionpack-2_3
Products:
SUSE-CLOUD 3.0 (x86_64)
Comment 27 Swamp Workflow Management 2014-06-16 23:04:26 UTC 
SUSE-SU-2014:0801-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 876714
CVE References: CVE-2014-0130
Sources used:
SUSE Cloud 3 (src):    rubygem-actionpack-2_3-2.3.17-0.17.1
Comment 28 Johannes Segitz 2014-06-23 11:18:15 UTC 
all packages fixed
Comment 29 Victor Pereira 2015-07-23 09:31:14 UTC 
resolved, fixed and released.