https://www.redmine.org/https://www.redmine.org/favicon.ico?16793021292017-11-24T08:39:13ZRedmineRedmine - Defect #27356: Confusing statements concerning fixed versions on Security Advisories wiki pagehttps://www.redmine.org/issues/27356?journal_id=822342017-11-24T08:39:13ZMischa The Evil
<ul></ul><p>I've spent about an hour and a half digging on this issue, yet I don't have a clear answer yet either. These were pretty messy times...</p>
This involves:
<ul>
<li>three to four CVE's:
<ul>
<li>CVE-2013-0155
<ul>
<li><a class="external" href="https://groups.google.com/forum/#!topic/rubyonrails-security/t1WFuuQyavI">https://groups.google.com/forum/#!topic/rubyonrails-security/t1WFuuQyavI</a></li>
<li><a class="external" href="https://groups.google.com/forum/#!msg/rubyonrails-security/c7jT-EeN9eI/L0u4e87zYGMJ">https://groups.google.com/forum/#!msg/rubyonrails-security/c7jT-EeN9eI/L0u4e87zYGMJ</a> (updated to include 2.3.x)</li>
<li><ins>CVE-2013-6417</ins>
<ul>
<li><ins><a class="external" href="https://groups.google.com/forum/#!topic/rubyonrails-security/niK4drpSHT4">https://groups.google.com/forum/#!topic/rubyonrails-security/niK4drpSHT4</a> (additional fix, never backported to 2.3.x)</ins></li>
</ul>
</li>
</ul>
</li>
<li>CVE-2013-0156
<ul>
<li><a class="external" href="https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ">https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ</a></li>
</ul>
</li>
<li>CVE-2013-0333
<ul>
<li><a class="external" href="https://groups.google.com/forum/#!topic/rubyonrails-security/1h2DR63ViGo">https://groups.google.com/forum/#!topic/rubyonrails-security/1h2DR63ViGo</a></li>
</ul>
</li>
<li><del>CVE-2012-3464</del>
<ul>
<li><del><a class="external" href="https://groups.google.com/forum/#!msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J">https://groups.google.com/forum/#!msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J</a></del></li>
</ul>
</li>
</ul>
</li>
<li>four Redmine releases:
<ul>
<li>2.2.1, 2.1.6 and 1.4.6: <a class="news" href="https://www.redmine.org/news/75">Redmine 2.2.1, 2.1.6 and 1.4.6 security releases</a></li>
<li>1.4.7: <a class="news" href="https://www.redmine.org/news/76">Redmine 1.4.7 security release</a></li>
</ul>
</li>
<li>one Redmine release hot fix
<ul>
<li>1.4.7 with Rails 2.3.16 (for CVE-2013-0333): <a class="news" href="https://www.redmine.org/news/78">New Rails vulnerability affects Redmine 1.4.7</a></li>
</ul>
</li>
<li>three Rails updates:
<ul>
<li>3.2.11</li>
<li>2.3.16</li>
<li>2.3.15</li>
</ul>
</li>
<li><del>(possibly)</del> a manually backported fix for <del>CVE-2012-3464</del> <ins>CVE-2013-0155</ins> in Redmine 1.4.7 [ <del>possibly</del> <ins>with</ins> an error in the code comments <ins>referring to CVE-2012-3464</ins>]:
<ul>
<li><a class="changeset" title="1.4-stable: add the patch for CVE-2013-0155 in Rails 2.3.15" href="https://www.redmine.org/projects/redmine/repository/svn/revisions/11197">r11197</a> and <a class="changeset" title="1.4-stable: add a link to a mail posted on 14 Jan 2013 about Rails 2.3 CVE-2013-0155" href="https://www.redmine.org/projects/redmine/repository/svn/revisions/11208">r11208</a></li>
</ul></li>
</ul>
<p><em>Updated by Mischa The Evil on 2017-11-28 to reflect latest findings.</em></p> Redmine - Defect #27356: Confusing statements concerning fixed versions on Security Advisories wiki pagehttps://www.redmine.org/issues/27356?journal_id=822892017-11-27T01:18:03ZMischa The Evil
<ul><li><strong>Assignee</strong> changed from <i>Jean-Philippe Lang</i> to <i>Mischa The Evil</i></li></ul><p>When it wasn't clear yet: I'm researching this issue. Almost done btw. Some last commit-history checks for both Rails and Redmine and wrapping up are remaining. Though, the issues with the current table values begin to be more clearly visible already... ;)</p>
<p>Results so far (<del>and sorry upfront for the alignment, I'm copy-pasting from temp. <em>notepad.exe</em> text file in ANSI; will fix it in the end</del> <ins>fixed</ins>):</p>
<hr />
<pre>
ID Severity Details Affected versions Fixed versions Redmine News link
1 Critical RoR vulnerability (announcement[1]) All releases prior to 2.2.1 and 2.1.6 Fix for 1.4.7 http://www.redmine.org/news/78 (New Rails vulnerability affects Redmine 1.4.7), 29-01-13
2 Critical RoR vulnerability (announcement[2]) All releases prior to 2.2.1 and 2.1.6 1.4.7 http://www.redmine.org/news/76 (Redmine 1.4.7 security release), 20-01-13
3 Critical RoR vulnerability (announcement[3]) All prior releases 2.2.1, 2.1.6, 1.4.6 http://www.redmine.org/news/75 (Redmine 2.2.1, 2.1.6 and 1.4.6 security releases), 09-01-13
Notes:
1. https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo
"Vulnerability in JSON Parser in Ruby on Rails 3.0 and 2.3", 28-01-13
CVE-2013-0333, Affected Rails: 2.3.x, 3.0.x; Not Affected: 3.1.x, 3.2.x, applications using the yajl gem; Fixed: 3.0.20, 2.3.16
2. https://groups.google.com/forum/#!msg/rubyonrails-security/c7jT-EeN9eI/L0u4e87zYGMJ
"Updated Advisory: Unsafe Query Generation Risk in Ruby on Rails", 14-01-13
CVE-2013-0155, Affected Rails: 2.x, 3.x; Not-Affected: None; Fixed: 3.2.11, 3.1.10, 3.0.19, -2.3.15- [+2.3.16+]
\-> Update of: https://groups.google.com/forum/#!topic/rubyonrails-security/t1WFuuQyavI
"Unsafe Query Generation Risk in Ruby on Rails (CVE-2013-0155)", 08-01-13
CVE-2013-0155, Affected Rails: 3.x; Not-Affected: 2.x; Fixed: 3.2.11, 3.1.10, 3.0.19
3. http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/
"[SEC][ANN] Rails 3.2.11, 3.1.10, 3.0.19, and 2.3.15 have been released!", 08-01-13
CVE-2013-0155 & CVE-2013-0156[4]
4. https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ
"Multiple vulnerabilities in parameter parsing in Action Pack (CVE-2013-0156)", 08-01-13
CVE-2013-0156, Affected Rails: All; Not-Affected: None; Fixed: 3.2.11, 3.1.10, 3.0.19, 2.3.15
</pre>
<p>Will pickup & finish another day...</p>
<p><em>Updated by Mischa The Evil on 2017-11-28 to reflect latest findings.</em></p> Redmine - Defect #27356: Confusing statements concerning fixed versions on Security Advisories wiki pagehttps://www.redmine.org/issues/27356?journal_id=823202017-11-28T03:57:38ZMischa The Evil
<ul></ul><a name="Final-results"></a>
<h2 >Final results<a href="#Final-results" class="wiki-anchor">¶</a></h2>
<p>Here are the final results of my research. I've already modified/updated the earlier posted bits of info.</p>
<a name="Course-of-events"></a>
<h3 >Course of events:<a href="#Course-of-events" class="wiki-anchor">¶</a></h3>
<p>The course of events in that January month of 2013 can best be represented within a table:</p>
<table>
<tr>
<th style="text-align:left;">Events/state: </th>
<th style="text-align:left;">Date: </th>
<th style="text-align:left;">2.2-stable: </th>
<th style="text-align:left;">2.1-stable: </th>
<th style="text-align:left;">1.4-stable: </th>
</tr>
<tr>
<td>Then current releases </td>
<td>< 2013-01-08 </td>
<td>2.2.0 (3.2.9) </td>
<td>2.1.5 (3.2.8) </td>
<td>1.4.5 (2.3.14) </td>
</tr>
<tr>
<td>CVE-2013-015[5<code>|</code>6] </td>
<td>2013-01-08 </td>
<td>a </td>
<td>a </td>
<td>a </td>
</tr>
<tr>
<td>New releases </td>
<td>2013-01-09 </td>
<td>2.2.1 (3.2.11) </td>
<td>2.1.6 (3.2.11) </td>
<td>1.4.6 (2.3.15) </td>
</tr>
<tr>
<td>CVE-2013-0155 rep. </td>
<td>2013-01-14..20 </td>
<td>n/a </td>
<td>n/a </td>
<td>a </td>
</tr>
<tr>
<td>New releases </td>
<td>2013-01-20 </td>
<td>- </td>
<td>- </td>
<td>1.4.7 (2.3.15 with sec. fix backport [<a class="changeset" title="1.4-stable: add the patch for CVE-2013-0155 in Rails 2.3.15" href="https://www.redmine.org/projects/redmine/repository/svn/revisions/11197">r11197</a> & <a class="changeset" title="1.4-stable: add a link to a mail posted on 14 Jan 2013 about Rails 2.3 CVE-2013-0155" href="https://www.redmine.org/projects/redmine/repository/svn/revisions/11208">r11208</a>]) </td>
</tr>
<tr>
<td>CVE-2013-0333 </td>
<td>2013-01-28 </td>
<td>n/a </td>
<td>n/a </td>
<td>a </td>
</tr>
<tr>
<td>Release hot fix </td>
<td>2013-01-29 </td>
<td>- </td>
<td>- </td>
<td>1.4.7-HotFix (2.3.16) </td>
</tr>
<tr>
<td>CVE-2013-6417 </td>
<td>2013-12-03 </td>
<td>n/a </td>
<td>n/a </td>
<td>a </td>
</tr>
</table>
Based on that info we can do some observations:
<ul>
<li>O1: messy times... ;)</li>
<li>O2: Jean-Philippe and Toshi responded swiftly with adequate resolutions :thumbsup:</li>
<li>O3: A misleading (referring to unrelated CVE-2012-3464) code comment crept in along the way</li>
<li>O4: Rails team left 2.3.x vulnerable to CVE-2013-0155 through CVE-2013-6417 for which the resolution was not backported to 2.3.x (anymore)</li>
</ul>
<a name="Suggestion-what-table-should-read"></a>
<h3 >Suggestion what table should read:<a href="#Suggestion-what-table-should-read" class="wiki-anchor">¶</a></h3>
<p>Based on all the currently available information I'd suggest to modify the <em>three</em> related table rules to look like follows:</p>
<table>
<tr>
<th>Severity</th>
<th>Details</th>
<th>External references</th>
<th>Affected versions</th>
<th>Fixed versions</th>
</tr>
<tr>
<td style="vertical-align:middle;background-color:#f88;">Critical</td>
<td>Ruby on Rails vulnerability (<a href="https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo" class="external">announcement</a>)</td>
<td></td>
<td>All releases prior to and including 1.4.7</td>
<td><a href="/news/78">Fix for 1.4.7</a></td>
</tr>
<tr>
<td style="vertical-align:middle;background-color:#f88;">Critical</td>
<td>Ruby on Rails vulnerability (<a href="https://groups.google.com/forum/#!msg/rubyonrails-security/c7jT-EeN9eI/L0u4e87zYGMJ" class="external">announcement</a>)</td>
<td></td>
<td>All releases prior to 2.2.1 and 2.1.6, and 1.4.6</td>
<td><a class="version" href="https://www.redmine.org/versions/67">1.4.7</a></td>
</tr>
<tr>
<td style="vertical-align:middle;background-color:#f88;">Critical</td>
<td>Ruby on Rails vulnerability (<a href="http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/" class="external">announcement</a>)</td>
<td></td>
<td>All prior releases</td>
<td> <a class="version" href="https://www.redmine.org/versions/63">2.2.1</a>, <a class="version" href="https://www.redmine.org/versions/64">2.1.6</a>, <a class="version" href="https://www.redmine.org/versions/65">1.4.6</a></td>
</tr>
</table>
<p>What do you think?</p> Redmine - Defect #27356: Confusing statements concerning fixed versions on Security Advisories wiki pagehttps://www.redmine.org/issues/27356?journal_id=823212017-11-28T03:58:34ZMischa The Evil
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Needs feedback</i></li><li><strong>Assignee</strong> changed from <i>Mischa The Evil</i> to <i>Gregor Schmidt</i></li></ul> Redmine - Defect #27356: Confusing statements concerning fixed versions on Security Advisories wiki pagehttps://www.redmine.org/issues/27356?journal_id=823292017-11-28T10:58:04ZGregor Schmidtschmidt@nach-vorne.eu
<ul></ul><p>Thank you so much for your research. In your proposed update, the third entry convers CVE-2013-0155 and CVE-2013-0156. While the second line covers mainly CVE-2013-0155 for 2.3.x. This follows the time line, but I think it would be more comprehensive to follow the vulnerabilities in this case.</p>
<table>
<tr>
<td style="vertical-align:middle;background-color:#f88;">Critical</td>
<td>Ruby on Rails vulnerability (<a href="https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo" class="external">announcement</a>)</td>
<td> <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0333" class="external">CVE-2013-0333</a> </td>
<td>All releases prior to and including 1.4.7 </td>
<td> <a href="/news/78">Fix for 1.4.7</a> </td>
</tr>
<tr>
<td style="vertical-align:middle;background-color:#f88;">Critical</td>
<td>Ruby on Rails vulnerability (<a href="https://groups.google.com/forum/#!msg/rubyonrails-security/c7jT-EeN9eI/L0u4e87zYGMJ" class="external">announcement</a>)</td>
<td> <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0155" class="external">CVE-2013-0155</a> </td>
<td>All prior releases</td>
<td> <a class="version" href="https://www.redmine.org/versions/63">2.2.1</a>, <a class="version" href="https://www.redmine.org/versions/64">2.1.6</a>, <a class="version" href="https://www.redmine.org/versions/67">1.4.7</a> </td>
</tr>
<tr>
<td style="vertical-align:middle;background-color:#f88;">Critical</td>
<td>Ruby on Rails vulnerability (<a href="https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ" class="external">announcement</a>)</td>
<td> <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0156" class="external">CVE-2013-0156</a> </td>
<td>All prior releases</td>
<td> <a class="version" href="https://www.redmine.org/versions/63">2.2.1</a>, <a class="version" href="https://www.redmine.org/versions/64">2.1.6</a>, <a class="version" href="https://www.redmine.org/versions/65">1.4.6</a> </td>
</tr>
</table>
<p>What do you think, is this still accurate?</p> Redmine - Defect #27356: Confusing statements concerning fixed versions on Security Advisories wiki pagehttps://www.redmine.org/issues/27356?journal_id=824472017-12-05T08:35:58ZMischa The Evil
<ul></ul><p>Gregor Schmidt wrote:</p>
<blockquote>
<p>Thank you so much for your research. In your proposed update, the third entry convers CVE-2013-0155 and CVE-2013-0156. While the second line covers mainly CVE-2013-0155 for 2.3.x. This follows the time line, but I think it would be more comprehensive to follow the vulnerabilities in this case.</p>
</blockquote>
<p>I'd ok with that, but I always interpret these kind of lists as event lines (adding the date to each line automatically). It also follows the separate news items.</p>
<blockquote>
<p><table snip></p>
<p>What do you think, is this still accurate?</p>
</blockquote>
<p>It is still accurate enough for me. However, JPL or sec. team may think differently. I'd like to hear their opinion before I'd change the page.</p>
<p><em>Edit by Mischa The Evil on 2017-12-05: snip quoted table.</em></p>