Red Hat Product Errata RHSA-2014:1863 - Security Advisory
Issued:
2014-11-17
Updated:
2014-11-17

RHSA-2014:1863 - Security Advisory

Synopsis

Important: Subscription Asset Manager 1.4 security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated Subscription Asset Manager 1.4 packages that fix multiple security
issues are now available.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

Description

Red Hat Subscription Asset Manager acts as a proxy for handling
subscription information and software updates on client machines. Red Hat
Subscription Asset Manager is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.

A directory traversal flaw was found in the way Ruby on Rails handled
wildcard segments in routes with implicit rendering. A remote attacker
could use this flaw to retrieve arbitrary local files accessible to a Ruby
on Rails application using the aforementioned routes via a specially
crafted request. (CVE-2014-0130)

A flaw was found in the way Ruby on Rails handled hashes in certain
queries. A remote attacker could use this flaw to perform a denial of
service (resource consumption) attack by sending specially crafted queries
that would result in the creation of Ruby symbols, which were never garbage
collected. (CVE-2013-1854)

Two cross-site scripting (XSS) flaws were found in Action Pack. A remote
attacker could use these flaws to conduct XSS attacks against users of an
application using Action Pack. (CVE-2013-1855, CVE-2013-1857)

It was discovered that the internationalization component of Ruby on Rails
could, under certain circumstances, return a fallback HTML string that
contained user input. A remote attacker could possibly use this flaw to
perform a reflective cross-site scripting (XSS) attack by providing a
specially crafted input to an application using the aforementioned
component. (CVE-2013-4491)

A denial of service flaw was found in the header handling component of
Action View. A remote attacker could send strings in specially crafted
headers that would be cached indefinitely, which would result in all
available system memory eventually being consumed. (CVE-2013-6414)

It was found that the number_to_currency Action View helper did not
properly escape the unit parameter. An attacker could use this flaw to
perform a cross-site scripting (XSS) attack on an application that uses
data submitted by a user in the unit parameter. (CVE-2013-6415)

Red Hat would like to thank Ruby on Rails upstream for reporting these
issues. Upstream acknowledges Ben Murphy as the original reporter of
CVE-2013-1854, Charlie Somerville as the original reporter of
CVE-2013-1855, Alan Jenkins as the original reporter of CVE-2013-1857,
Peter McLarnan as the original reporter of CVE-2013-4491, Toby Hsieh as the
original reporter of CVE-2013-6414, and Ankit Gupta as the original
reporter of CVE-2013-6415.

All Subscription Asset Manager users are advised to upgrade to these
updated packages, which contain backported patches to correct these issues.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux Server 6 x86_64

Fixes

  • BZ - 921329 - CVE-2013-1854 rubygem-activerecord: attribute_dos Symbol DoS vulnerability
  • BZ - 921331 - CVE-2013-1855 rubygem-actionpack: css_sanitization: XSS vulnerability in sanitize_css
  • BZ - 921335 - CVE-2013-1857 rubygem-actionpack: sanitize_protocol: XSS Vulnerability in the helper of Ruby on Rails
  • BZ - 1036483 - CVE-2013-6414 rubygem-actionpack: Action View DoS
  • BZ - 1036910 - CVE-2013-6415 rubygem-actionpack: number_to_currency XSS
  • BZ - 1036922 - CVE-2013-4491 rubygem-actionpack: i18n missing translation XSS
  • BZ - 1095105 - CVE-2014-0130 rubygem-actionpack: directory traversal issue

Red Hat Enterprise Linux Server 6

SRPM
katello-1.4.3.28-1.el6sam_splice.src.rpm SHA-256: 0279cc775e8af6e73a6b19f72d209a92a6584f7fa10c178f6a8f53c6c110267b
ruby193-rubygem-actionmailer-3.2.17-1.el6sam.src.rpm SHA-256: 31ac7954ada99ebc2959b4617fc9b562a61e2ef853f6937a8550ac491216d5b9
ruby193-rubygem-actionpack-3.2.17-6.el6sam.src.rpm SHA-256: 5f0eda380b073cdcb874834ac9a6a031296f45dddea72236cf1895c127a68ffa
ruby193-rubygem-activemodel-3.2.17-1.el6sam.src.rpm SHA-256: 697d3db637499bc539bdab8110b203b853c3fa8f48a2927edeb75626f1974a52
ruby193-rubygem-activerecord-3.2.17-5.el6sam.src.rpm SHA-256: 59d6532b099561bbfaea5bb3964947c1c1fc8188a868c810d71d7277a3defec8
ruby193-rubygem-activeresource-3.2.17-1.el6sam.src.rpm SHA-256: 4c894a67dc4fd88a1bc20ffa55c0545af075cfac4b53873c2654e6a00e440cbe
ruby193-rubygem-activesupport-3.2.17-2.el6sam.src.rpm SHA-256: 83bcd2ec4ff54e1117deff7915524ae424b772a62fb60d17453bef89af3d3029
ruby193-rubygem-i18n-0.6.9-1.el6sam.src.rpm SHA-256: c7d638520dc1769b9068346cd9ea938ab548ac39c6820fc442dd73a00114c09c
ruby193-rubygem-mail-2.5.4-1.el6sam.src.rpm SHA-256: c439e08a32778c73fe2b1cfeb3ab589a2dfeabff00ea7b38b4039468159c5d70
ruby193-rubygem-rack-1.4.5-3.el6sam.src.rpm SHA-256: ec6d7d35710eb9cba6f0db5b6367a6fdee4426272fcf1bbbab558460b7cdcf4f
ruby193-rubygem-rails-3.2.17-1.el6sam.src.rpm SHA-256: af5f65702f430584f685d3556b7b2c566e929f58cf8fe381df37078eaa34a559
ruby193-rubygem-railties-3.2.17-1.el6sam.src.rpm SHA-256: 718e57548b3015994a9e172878b59cea4133dbae08a5450df88e47dde238b980
x86_64
katello-common-1.4.3.28-1.el6sam_splice.noarch.rpm SHA-256: 1e6d2d835d5b6daf3001cf8a96c8e041c58ffa94dbdea516603ca3e08ba5d693
katello-glue-candlepin-1.4.3.28-1.el6sam_splice.noarch.rpm SHA-256: 52b095d6d6d09ae9c3bc1ae6a84a5fbb44d245c70b0defea106003d0e1041dc5
katello-glue-elasticsearch-1.4.3.28-1.el6sam_splice.noarch.rpm SHA-256: 59d7c9fc2d66a70931afc9408c2dc679c0b421fe1a23f18ad1fcc5b166abefd7
katello-headpin-1.4.3.28-1.el6sam_splice.noarch.rpm SHA-256: c7069784f20ca906d50447f87e970b8dfd0fe0fcc128a3dd3f0969ef7c1aa418
katello-headpin-all-1.4.3.28-1.el6sam_splice.noarch.rpm SHA-256: d18a3cf164a6701ea59afaf89f996f8fe7ae3248dfeb7cb88d07646c667ebeaa
ruby193-rubygem-actionmailer-3.2.17-1.el6sam.noarch.rpm SHA-256: 693707d67adb5950bf9f7dd45dd286450abb014799a9a2995ffbea38a4f60c62
ruby193-rubygem-actionpack-3.2.17-6.el6sam.noarch.rpm SHA-256: 8edee2c7549ec2d38fd75dc058b2e783ccf47ecaa022b30b4e397c3600adaa4d
ruby193-rubygem-activemodel-3.2.17-1.el6sam.noarch.rpm SHA-256: 0b47bb7a239592772ee48c76b931a9b78d1ea9e7b5a090d6d9a4fc2552b442da
ruby193-rubygem-activerecord-3.2.17-5.el6sam.noarch.rpm SHA-256: 1f8493fad76c2b0087c65d76d66a827c147971df169175d0a5a9650332af06e4
ruby193-rubygem-activeresource-3.2.17-1.el6sam.noarch.rpm SHA-256: 61837a7a5613a334baaf9392c1540fb77b232f320e2937f096540ce8ccb8eabe
ruby193-rubygem-activesupport-3.2.17-2.el6sam.noarch.rpm SHA-256: 510433eb0b934be67ec92a3e38691090078eb5503386f101107dfbf29fff0a7e
ruby193-rubygem-i18n-0.6.9-1.el6sam.noarch.rpm SHA-256: b07e050c19263d47cc05ba81c600948d4d6a2599dec82f46aed1dcafdb3fc5f5
ruby193-rubygem-mail-2.5.4-1.el6sam.noarch.rpm SHA-256: 6bca8d7ac0ac5ee455121202a46911021edd6c9d48a032e6d788713977581752
ruby193-rubygem-rack-1.4.5-3.el6sam.noarch.rpm SHA-256: 972c464003c2b9ddae1c26f2aed054e9515124de16bdb57aa818d3bb7d5b4518
ruby193-rubygem-rails-3.2.17-1.el6sam.noarch.rpm SHA-256: 93ae0b593afe008d1c7a26cc9a5aa33749e84d191850b550d77d7f7789349004
ruby193-rubygem-railties-3.2.17-1.el6sam.noarch.rpm SHA-256: d29765d6deb70ae587c8d41907365d5fae2af2c1bacfe7791aa4e9ee31fd7071

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.