Security update for rubygem-activerecord-4_1 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2016:0598-1 Final 1 1 2016-02-26T15:08:40Z current 2016-02-26T15:08:40Z 2016-02-26T15:08:40Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for rubygem-activerecord-4_1 This update for rubygem-activerecord-4_1 fixes the following issues: - CVE-2016-0753: Input Validation Circumvention (bsc#963334) - CVE-2015-7577: Nested attributes rejection proc bypass (bsc#963330) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sleclo50sp3-rubygem-activerecord-4_1-12423 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2016/suse-su-20160598-1/ Link for SUSE-SU-2016:0598-1 https://lists.suse.com/pipermail/sle-security-updates/2016-February/001897.html E-Mail link for SUSE-SU-2016:0598-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/963330 SUSE Bug 963330 https://bugzilla.suse.com/963334 SUSE Bug 963334 https://www.suse.com/security/cve/CVE-2015-7577/ SUSE CVE CVE-2015-7577 page https://www.suse.com/security/cve/CVE-2016-0753/ SUSE CVE CVE-2016-0753 page SUSE OpenStack Cloud 5 ruby2.1-rubygem-activerecord-4_1-4.1.9-9.1 ruby2.1-rubygem-activerecord-4_1-4.1.9-9.1 as a component of SUSE OpenStack Cloud 5 activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature. CVE-2015-7577 SUSE OpenStack Cloud 5:ruby2.1-rubygem-activerecord-4_1-4.1.9-9.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20160598-1/ https://www.suse.com/security/cve/CVE-2015-7577.html CVE-2015-7577 https://bugzilla.suse.com/963330 SUSE Bug 963330 https://bugzilla.suse.com/963604 SUSE Bug 963604 Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters. CVE-2016-0753 SUSE OpenStack Cloud 5:ruby2.1-rubygem-activerecord-4_1-4.1.9-9.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20160598-1/ https://www.suse.com/security/cve/CVE-2016-0753.html CVE-2016-0753 https://bugzilla.suse.com/963334 SUSE Bug 963334 https://bugzilla.suse.com/963617 SUSE Bug 963617