Package: rails Severity: grave Tags: security patch Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for rails.
CVE-2007-6077[0]: | The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as | used in Ruby on Rails, removes the :cookie_only attribute from the | DEFAULT_SESSION_OPTIONS constant, which effectively causes :cookie_only to only | be applied to the first instantiation of CgiRequest, which allows remote | attackers to conduct session fixation attacks. NOTE: this is due to an | incomplete fix for CVE-2007-5380 If you fix this vulnerability please also include the CVE id in your changelog entry. Since this is caused by an incomplete fix for CVE-2007-5380 I set the severity to grave. There is a patch available on: http://dev.rubyonrails.org/ticket/10048 For further information: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6077 Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgp009BL6dhbq.pgp
Description: PGP signature
