[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 215-1] libjson-ruby security update

Package        : libjson-ruby
Version        : 1.1.9-1+deb6u1
CVE ID         : CVE-2013-0269

The JSON gem for Ruby allowed remote attackers to cause a denial of
service (resource consumption) or bypass the mass assignment protection
mechanism via a crafted JSON document that triggers the creation of
arbitrary Ruby symbols or certain internal objects, as demonstrated by
conducting a SQL injection attack against Ruby on Rails, aka "Unsafe
Object Creation Vulnerability."

For Debian 6 “Squeeze”, this issue has been fixed in libjson-ruby
version 1.1.9-1+deb6u1.

Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Attachment: signature.asc
Description: Digital signature

Reply to: