Bug 885636 (CVE-2014-3482) - VUL-0: CVE-2014-3482: rubygem-activerecord-3_2, rubygem-activerecord-2_3: SQL injection vulnerability in 'bitstring' quoting
Summary: VUL-0: CVE-2014-3482: rubygem-activerecord-3_2, rubygem-activerecord-2_3: SQL...
Status: RESOLVED FIXED
Alias: CVE-2014-3482
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2014-07-23
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/103216/
Whiteboard: maint:released:sle11-sp3-uptu:58226 ...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-07-03 09:22 UTC by Victor Pereira
Modified: 2014-09-09 17:04 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
patch for 3.2 (2.24 KB, patch)
2014-07-17 17:12 UTC, Jordi Massaguer 		Details | Diff
patch for 2.3 (732 bytes, patch)
2014-07-17 17:45 UTC, Jordi Massaguer 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2014-07-03 09:22:06 UTC 
CVE-2014-3482

An SQL injection flaw was found in the PostgreSQL adapter for Active Record. An attacker could possibly perform SQL injection attacks if a Ruby on Rails application performed queries against the bitstring type.

This issue affects versions 2.0.0-3.2.18 and newer. It is reported that versions 4.0 and newer are not affected.



References:
https://github.com/rails/rails/commit/1f2192e46d78ee0ba2b06373f2c24caf8440ff5b (upstream commit 3.2)
http://weblog.rubyonrails.org/2014/7/2/Rails_3_2_19_4_0_7_and_4_1_3_have_been_released/
https://bugzilla.redhat.com/show_bug.cgi?id=1114425
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3482
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3482
Comment 2 Swamp Workflow Management 2014-07-03 22:00:22 UTC 
bugbot adjusting priority
Comment 3 Swamp Workflow Management 2014-07-09 09:23:32 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2014-07-23.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/58205
Comment 4 SMASH SMASH 2014-07-09 09:25:12 UTC 
Affected packages:

SLE-11-SP2-PRODUCTS: rubygem-activerecord-3_2
SLE-11-SP3: rubygem-activerecord-3_2, rubygem-activerecord-2_1, rubygem-activerecord-2_3, rubygem-activerecord-3_1, rubygem-rails-2_3
SLE-12: rubygem-activerecord-3_2
Comment 5 Jordi Massaguer 2014-07-17 17:12:16 UTC 
Created attachment 599021 [details]
patch for 3.2
Comment 6 Jordi Massaguer 2014-07-17 17:45:33 UTC 
Created attachment 599029 [details]
patch for 2.3
Comment 8 Jordi Massaguer 2014-07-18 11:29:06 UTC 
for devel:languages:ruby:extensions, see sr#241469
Comment 10 Ruediger Oertel 2014-07-30 13:16:37 UTC 
no update submitted yet for rubygem-rails-2_3 ... ping
Comment 14 Jordi Massaguer 2014-07-31 09:46:10 UTC 
@rudi: victor has reviewed the description.
Comment 15 Ruediger Oertel 2014-07-31 09:58:41 UTC 
no more open patchinfos for this one, I'm happy ... ;)
Comment 16 Swamp Workflow Management 2014-08-12 23:05:20 UTC 
SUSE-SU-2014:0994-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 885636
CVE References: CVE-2014-3482
Sources used:
SUSE Cloud 3 (src):    rubygem-activerecord-2_3-2.3.17-0.15.1
Comment 17 Swamp Workflow Management 2014-08-28 17:05:11 UTC 
SUSE-SU-2014:0994-2: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 885636
CVE References: CVE-2014-3482
Sources used:
SUSE Cloud 4 (src):    rubygem-activerecord-2_3-2.3.17-0.15.3
Comment 18 Marcus Meissner 2014-09-09 11:52:42 UTC 
all released i think
Comment 19 Swamp Workflow Management 2014-09-09 17:04:28 UTC 
SUSE-SU-2014:0994-3: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 885636
CVE References: CVE-2014-3482
Sources used:
WebYaST 1.3 (src):    rubygem-activerecord-3_2-3.2.12-0.11.1
SUSE Studio Onsite 1.3 (src):    rubygem-activerecord-3_2-3.2.12-0.11.1
SUSE Lifecycle Management Server 1.3 (src):    rubygem-activerecord-3_2-3.2.12-0.11.1