Upstream information
Description
lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.NVD CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Novell/SUSE information
Novell Bugzilla entry: 800320, 809839 SUSE Security Advisories:- SUSE-SU-2013:0606-1, published Wed, 3 Apr 2013 20:06:19 +0200 (CEST)
- openSUSE-SU-2013:0278-1, published Tue, 12 Feb 2013 10:10:39 +0100 (CET)
- openSUSE-SU-2013:0280-1, published Tue, 12 Feb 2013 11:04:29 +0100 (CET)
List of released packages
| Product(s) | Fixed package version(s) | References |
|---|---|---|
| SUSE Cloud 1.0 |
| Builds SAT Patch Nr: 7363 |
| SUSE Linux Enterprise Software Development Kit 11 SP2 |
| Builds SAT Patch Nr: 7363 |
| SUSE Studio Standard Edition 1.2 |
| Builds SAT Patch Nr: 7364 |
| SUSE Studio Extension for System z 1.2 SUSE Studio Onsite 1.2 [Appliance - Studio] WebYaST 1.2 |
| Builds SAT Patch Nr: 7364 |