Info

Disclosure

Nov 26, 2009

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Nov 26, 2009

Description

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Upgrade
Disclosure: Vendor Verified
OSVDB: Web Related

Solution

Upgrade to version 2.3.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Unknown or Incomplete

References

Security Tracker: 1023245
CVE ID: 2009-4214 (see also: NVD)
Bugtraq ID: 37142
Secunia Advisory ID: 37446 37670 37853 37876 38669 38915 39158 44796 45839
VUPEN Advisory: ADV-2009-3352
Vendor Specific News/Changelog Entry: http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5
http://lists.debian.org/debian-security-announce/2011/msg00130.html
http://lists.opensuse.org/opensuse-security-announce/2010-02/msg00008.html
http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00631.html
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01033.html
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01069.html
Other Advisory URL: http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab
http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released
http://www.debian.org/security/2011/dsa-2260
http://www.openwall.com/lists/oss-security/2009/11/27/2
http://www.openwall.com/lists/oss-security/2009/12/08/3
Mail List Post: http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
Vendor Specific Advisory URL: http://support.apple.com/kb/HT4077
http://www.debian.org/security/2011/dsa-2301
http://www.gentoo.org/security/en/glsa/glsa-200912-02.xml
News Article: http://www.computerworld.com/s/article/9174337/Apple_delivers_record_monster_security_update?taxonomyId=17
http://www.esecurityplanet.com/features/article.php/3873656/article.htm

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/60544