Hi Sheldon, * Sheldon Hearn <[EMAIL PROTECTED]> [2007-10-22 12:14]: > The good news is, upstream seems to have taken disclosure complaints to > heart, and is now posting security advisories to the > rubyonrails-security Google Group: > > The bad news is, it looks like CVE-2007-3227 is only fixed properly in > rails-1.2.5: > > http://groups.google.com/group/rubyonrails-security/browse_thread/thread/225dcc61aaefad42
Why do you think so? The post does not say more than it is recomment to install 1.2.5 because of CVE-2007-3227 but the 1.2.4 rails package in Debian includes debian/patches/changeset_r6893 which was the upstream changeset fixing this: http://dev.rubyonrails.org/changeset/6893 Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpRNdR8Emes2.pgp
Description: PGP signature
