Hi, I decided to help a little bit moving these issues forward. I did what I could, but now the more experienced debian rails people need to act. In particular, there is a decision that needs to be made for CVE-2011-0446, and a review of the fix I did for CVE-2011-0447. I am happy to help facilitate in any other way, but I need others who have more experience to weigh in on those.
Both of these CVEs affect all versions of rails, including those in oldstable. CVE-2011-0446 ------------- Patch for rails 2.3 to fix CVE-2011-0446 is here: http://rubyonrails-security.googlegroups.com/attach/365b8a23b76a6b4a/2-3-mailto.patch?part=3 The upstream commit id is: abe97736b8316f1b714cac56c115c0779aa73217 Looking through the commit log for the above fix, it was done to rails 2.3.11, which has had three other commits that touched actionpack/lib/action_view/helpers/url_helper.rb, the largest one is 9ca6df83f606a0fb8be3815328111d0cdaa7c65b which backports html_safe and the latest rails_xss plugin. This change seems to be a pre-requisite for the security fix, the sad thing is that it is a big change. I did not do anything with CVE-2011-0446 as it was intrusive, hopefully others who have experience with this package can weigh in on the best way forwards with this one. Once this is resolved a security release could happen. CVE-2011-0447 ------------- The patch for rails 2.1 to fix CVE-2011-0447 is here: http://rubyonrails-security.googlegroups.com/attach/c22ea1668c0d181c/2-1-csrf.patch?part=3 I was able to cherry-pick this commit (d622353dd399908770473d417ecef028524b8c8b) from upstream's git repo into the debian debian-lenny branch without any conflicts. I went ahead and did that and have committed it, along with a changelog entry and a NEWS entry that comes straight from the mailing list. It is my opinion that the fix for lenny in 2.1 is done. Please someone who has more skills in rails review this to make sure it is good, and then I think it can be uploaded after contacting the security team. The patch for rails 2.3 to fix CVE-2011-0447 is here: http://rubyonrails-security.googlegroups.com/attach/c22ea1668c0d181c/2-3-csrf.patch?part=5 I was able to cherry-pick this commit (9998f79b9cf9c60b07baf4c23a02178034e06d85) from upstream's git repo into the debian v2.3-stable branch without any conflicts. I also went ahead and committed this change, along with a changelog entry and a NEWS entry that came from the mailing list, identical to the debian-lenny 2.1 one above. Once CVE-2011-0446 has been resolved for 2.3, then this can be uploaded. A few notes: 1. I noticed that the upload that made it into squeeze was never tagged as debian/2.3.5-1.2, so I went ahead and did that. 2. I wasn't sure what the difference between the branch 'debian-lenny' and v2.1-stable were. The 'debian-lenny' one seemed to have the most recent security fixes, and had a debian directory, so I went with that one. 3. v2.3-stable seemed to be the place for squeeze fixes, which differs from the nomenclature used in #2, perhaps that fix should be in a debian-squeeze branch? If so, then please change it, and clarify #2 for v2.3-stable too. Micah -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
