Moses Mendoza
2013-Jan-03 23:19 UTC
[Puppet Users] Rails ActiveRecord vulnerability & Puppet legacy storeconfigs [ security ]
Good day, A security vulnerability has been discovered in Ruby on Rails, specifically in all versions of ActiveRecord. It is assigned CVE-2012-5664. The vulnerability exposes ActiveRecord to arbitrary SQL Injection. CVE details can be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5664 If you currently use Puppet''s ActiveRecord-based storeconfigs, you will mostly likely want to update your ActiveRecord version or patch your version to address the risk (or even better, use PuppetDB, a drop-in replacement: http://docs.puppetlabs.com/puppetdb/). See the following post for more information on the vulnerability: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM Regards, Moses Mendoza Puppet Labs -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.