Hi Moritz, thanks for reminder.
On Fri, Apr 13, 2012 at 14:24, Moritz Muehlenhoff <muehlenh...@univention.de> wrote: > Package: rails > Severity: grave > Tags: security > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1098 > http://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913?pli=1 The vulnerable code isn't present in the rail-2.3 (which doesn't mean that rails 2.3 is not vulnerable, just that we cannot fix that) > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1099: > http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9da0c515a6c4664 I have adapted upstream patch to rails-2.3, the code seems to be reasonably similar to 3.x. $ diffstat rails_2.3.5-1.2+squeeze3.debdiff changelog | 8 +++++++ patches/CVE-2012-1099.patch | 46 ++++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 55 insertions(+) debdiff, dsc and debian.tar.gz attached Ondrej -- Ondřej Surý <ond...@sury.org>
rails_2.3.5-1.2+squeeze3.debdiff
Description: Binary data
rails_2.3.5-1.2+squeeze3.debian.tar.gz
Description: GNU Zip compressed data
rails_2.3.5-1.2+squeeze3.dsc
Description: Binary data
