Hi, * Adam Majer <ad...@zombino.com> [2009-07-06 05:49]: > Michael S. Gilbert wrote: > > package: rails > > version: 1.1.6-3 > > severity: serious > > tags: security > > > > hello, > > > > it has been found that rails is vulnerable to a password bypass [1]. this > > will be > > fixed in upstream version 2.3.3. > > > > [1] > > http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest > > Rails 2.2.2 doesn't have digest HTTP authentication. I've looked at the > function in rails and I don't see the problem. > > Certainly this is not a problem with version 1.1.6. The issue is with > Rails 2.3.x branch, AFAIK. > > Please let me know if I'm wrong.
Yes that's correct. I verified the ruby version in unstable and the vulnerable code is indeed not yet present. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.
pgpMeVyJ3Vbpn.pgp
Description: PGP signature
