Important Security Update - Dragonfly 0.9.14 released [CVE-2013-1756]
998 views
Skip to first unread message
Mark Evans
Feb 19, 2013, 5:39:36 AM2/19/13
to dragonf...@googlegroups.com
Hi All
Unfortunately there is a security vulnerability in Dragonfly when used with Rails which would potentially allow an attacker to run arbitrary code on a host machine using carefully crafted requests.
The vulnerability has been assigned the CVE identifier CVE-2013-1756.
Dragonfly version 0.9.14 has been released, which fixes the vulnerability.
It is recommended that you upgrade immediately.
Versions affected
-------------------------
All versions between 0.7.0 and 0.9.12, when used with Rails.
Fix release
----------------
0.9.14
Credits
---------
Many thanks to Charlie Somerville for reporting the vulnerability
Mark Evans
Olivier Gonzalez
Feb 27, 2013, 6:47:37 AM2/27/13
to dragonf...@googlegroups.com
Hi,
You say affected versions are 0.7.0 through 0.9.12, but the version that contains the fix is 0.9.14
So what about 0.9.13?
Thanks
Olivier
Mark Evans
Feb 27, 2013, 6:55:25 AM2/27/13
to dragonf...@googlegroups.com
0.9.13 is also fixed, however I didn't say to upgrade to it because there is a bug where some urls containing '+' characters don't get recognised properly (fixed in 0.9.14).
However it is secure
cheers
Mark
However it is secure
cheers
Mark
Olivier Gonzalez
Feb 27, 2013, 7:43:13 AM2/27/13
to dragonf...@googlegroups.com
Thanks!
In case you wonder why I asked this: https://gemnasium.com/gems/dragonfly/versions/0.9.12
cheers,
Olivier.
Mark Evans
Feb 27, 2013, 7:48:39 AM2/27/13
to dragonf...@googlegroups.com
aah.. I didn't know about gemnasium - nice site!
Ralf Kistner
Mar 8, 2013, 7:10:57 AM3/8/13
to dragonf...@googlegroups.com
Hi,
Regards,
Ralf
Semyon Perepelitsa
Apr 18, 2013, 10:11:12 AM4/18/13
to dragonf...@googlegroups.com
Does this vulnerability affect applications using config.protect_from_dos_attacks = true in prior versions?
Frederick Cheung
Apr 18, 2013, 10:13:33 AM4/18/13
to dragonf...@googlegroups.com
I remember a discussion on this and I believe that the conclusion was that is doesn't - the payload is unmarshalled before the checksum is checked (before the checksum is based on the unmarshalled content)
Fred
On 18 Apr 2013, at 15:11, Semyon Perepelitsa <semaper...@gmail.com> wrote:
> Does this vulnerability affect applications using config.protect_from_dos_attacks = true in prior versions?
>
> --
> You received this message because you are subscribed to the Google Groups "Dragonfly" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dragonfly-use...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
Fred
On 18 Apr 2013, at 15:11, Semyon Perepelitsa <semaper...@gmail.com> wrote:
> Does this vulnerability affect applications using config.protect_from_dos_attacks = true in prior versions?
>
> You received this message because you are subscribed to the Google Groups "Dragonfly" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dragonfly-use...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
Frederick Cheung
Apr 18, 2013, 10:15:45 AM4/18/13
to Frederick Cheung, dragonf...@googlegroups.com
Sorry, i realise that that is ambiguous: config.protect_from_dos_attacks does not protect you and you are still vulnerable
Fred
Fred
Mark Evans
Apr 19, 2013, 2:25:23 PM4/19/13
to dragonf...@googlegroups.com
the fix has been backported to 0.8.6
cheers
cheers
Mark Evans
Apr 19, 2013, 2:26:11 PM4/19/13
to dragonf...@googlegroups.com, Frederick Cheung
that's correct - the fix is still necessary
Reply all
Reply to author
Forward
0 new messages