* Steffen Joeris <steffen.joe...@skolelinux.de> [2010-01-30 17:13-0500]: > Hi Adam > > These issues have been assigned CVE ids, see below: > > CVE-2009-4214[0]: > | Cross-site scripting (XSS) vulnerability in the strip_tags function in > | Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote > | attackers to inject arbitrary web script or HTML via vectors involving > | non-printing ASCII characters, related to HTML::Tokenizer and > | actionpack/lib/action_controller/vendor/html-scanner/html/node.rb. > > CVE-2008-7248[1]: > | Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify > | tokens for requests with certain content types, which allows remote > | attackers to bypass cross-site request forgery (CSRF) protection for > | requests to applications that rely on this protection, as demonstrated > | using text/plain. > > CVE-2008-7248 does not seem to affect lenny since it does not include 'text' > in > the @@unverifiable_types. The upstream patch for this issue is here[2] and > needs to be included in the sid version.
I can confirm that the lenny version does not include 'text' in the @@unverifiable_types in the mime_type.rb. I also can confirm that the sid/squeeze version contains 'text', and thus they are affected and need updating. > CVE-2009-4214 affects lenny as well and the upstream patch is here[3], please > have a deeper look at that change, because I didn't. :) I can confirm that this one affects lenny. It also affects the sid/squeeze version, so this will need to be updated as well. > I guess due to CVE-2009-4214 we could fix this via a DSA. When you prepare > the > updated packages for lenny, please also include a fix for CVE-2009-3086[4]. Sounds like a DSA for Lenny which hits both CVEs, as well as an upload to sid, with urgency=high, seems to be the name of the game here. micah
signature.asc
Description: Digital signature
