Security update for rubygem-activerecord-3_2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2016:0619-1 Final 1 1 2016-03-01T13:53:09Z current 2016-03-01T13:53:09Z 2016-03-01T13:53:09Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for rubygem-activerecord-3_2 This update for rubygem-activerecord-3_2 fixes the following issues: - CVE-2015-7577: rubygem-activerecord: Nested attributes rejection proc bypass (bsc#963330) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sdksp4-rubygem-activerecord-3_2-12433,sleslms13-rubygem-activerecord-3_2-12433,slestso13-rubygem-activerecord-3_2-12433,slewyst13-rubygem-activerecord-3_2-12433 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2016/suse-su-20160619-1/ Link for SUSE-SU-2016:0619-1 https://lists.suse.com/pipermail/sle-security-updates/2016-March/001902.html E-Mail link for SUSE-SU-2016:0619-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/963330 SUSE Bug 963330 https://www.suse.com/security/cve/CVE-2015-7577/ SUSE CVE CVE-2015-7577 page SUSE Lifecycle Management Server 1.3 SUSE Linux Enterprise Software Development Kit 11 SP4 SUSE Studio Onsite 1.3 SUSE WebYast 1.3 rubygem-activerecord-3_2-3.2.12-0.15.1 rubygem-activerecord-3_2-3.2.12-0.15.1 as a component of SUSE Lifecycle Management Server 1.3 rubygem-activerecord-3_2-3.2.12-0.15.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 rubygem-activerecord-3_2-3.2.12-0.15.1 as a component of SUSE Studio Onsite 1.3 rubygem-activerecord-3_2-3.2.12-0.15.1 as a component of SUSE WebYast 1.3 activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature. CVE-2015-7577 SUSE Lifecycle Management Server 1.3:rubygem-activerecord-3_2-3.2.12-0.15.1 SUSE Linux Enterprise Software Development Kit 11 SP4:rubygem-activerecord-3_2-3.2.12-0.15.1 SUSE Studio Onsite 1.3:rubygem-activerecord-3_2-3.2.12-0.15.1 SUSE WebYast 1.3:rubygem-activerecord-3_2-3.2.12-0.15.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20160619-1/ https://www.suse.com/security/cve/CVE-2015-7577.html CVE-2015-7577 https://bugzilla.suse.com/963330 SUSE Bug 963330 https://bugzilla.suse.com/963604 SUSE Bug 963604