Hi Sheldon, * Sheldon Hearn <[EMAIL PROTECTED]> [2007-10-22 14:22]: > On Monday 22 October 2007 13:58:43 Nico Golde wrote: > > > The bad news is, it looks like CVE-2007-3227 is only fixed properly > > > in rails-1.2.5: > > > > > > http://groups.google.com/group/rubyonrails-security/browse_thread/t > > >hread/225dcc61aaefad42 > > > > Why do you think so? > > I think so because DHH is a core Rails developer, and his post said that > 1.2.5 closes a JSON XSS vulnerability, and that we should see > CVE-2007-3227 for more information on the problem. [...] > "The rails core team has released ruby on rails 1.2.5 to address a > potential XSS exploit with our json serialization. The CVE Identifier > for this problem is CVE-2007-3227" > > In other words, I don't think rails-1.2.4 fully addressed the issue.
Huh? Who said this? We have 1.2.4 but we ship an extra patch which is not included in 1.2.4 to fix this so I don't see the point. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpQDYOMTPGO6.pgp
Description: PGP signature
