Package: rails -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi, the following CVE (Common Vulnerabilities & Exposures) ids were published for rails. CVE-2009-3086[0]: | A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x | before 2.3.4, leaks information about the complexity of message-digest | signature verification in the cookie store, which might allow remote | attackers to forge a digest via multiple attempts. CVE-2009-3009[1]: | Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before | 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject | arbitrary web script or HTML by placing malformed Unicode strings into | a form helper. If you fix the vulnerabilities please also make sure to include the CVE ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3086 http://security-tracker.debian.net/tracker/CVE-2009-3086 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3009 http://security-tracker.debian.net/tracker/CVE-2009-3009 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkqouSsACgkQNxpp46476ao1ZQCaAil8vKbQ/JQGNc+DBApQl3eW 89wAnjuPfrGmejg7FLzABM88h/n4rdpa =OeAa -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
