=====================================================================

                           CERT-Renater

               Note d'Information No. 2013/VULN090
_____________________________________________________________________

DATE                : 01/03/2013

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running
                Dragonfly for Ruby versions prior to 0.9.14.

======================================================================
https://groups.google.com/forum/?fromgroups=#!topic/dragonfly-users/3c3WIU3VQTo
______________________________________________________________________

 Important Security Update - Dragonfly 0.9.14 released [CVE-2013-1756]

Hi All

Unfortunately there is a security vulnerability in Dragonfly when used
with Rails which would potentially allow an attacker to run arbitrary
code on a host machine using carefully crafted requests.

The vulnerability has been assigned the CVE identifier CVE-2013-1756.

Dragonfly version 0.9.14 has been released, which fixes the
vulnerability.

It is recommended that you upgrade immediately.


Versions affected
-------------------------
 All versions between 0.7.0 and 0.9.12, when used with Rails.


Fix release
----------------
0.9.14


Credits
---------
Many thanks to Charlie Somerville for reporting the vulnerability

Mark Evans


======================================================================

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================