Security Information / 2013 / Security Information -- DSA-2609-1 rails

Debian Security Advisory

DSA-2609-1 rails -- SQL query manipulation

Date Reported:

16 Jan 2013

Affected Packages:

rails

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2013-0155.

More information:

An interpretation conflict can cause the Active Record component of Rails, a web framework for the Ruby programming language, to truncate queries in unexpected ways. This may allow attackers to elevate their privileges.

For the stable distribution (squeeze), this problem has been fixed in version 2.3.5-1.2+squeeze5.

We recommend that you upgrade your rails packages.