On Fri, Apr 13, 2012 at 18:25, Nico Golde <n...@debian.org> wrote:
> Hi,
> * Ondřej Surý <ond...@sury.org> [2012-04-13 15:56]:
>> On Fri, Apr 13, 2012 at 14:24, Moritz Muehlenhoff
>> <muehlenh...@univention.de> wrote:
>> > Package: rails
>> > Severity: grave
>> > Tags: security
>> >
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1098
>> > http://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913?pli=1
>>
>> The vulnerable code isn't present in the rail-2.3 (which doesn't mean
>> that rails 2.3 is not vulnerable, just that we cannot fix that)
>>
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1099:
>> > http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9da0c515a6c4664
>>
>> I have adapted upstream patch to rails-2.3, the code seems to be
>> reasonably similar to 3.x.
>>
>> $ diffstat rails_2.3.5-1.2+squeeze3.debdiff
>> changelog | 8 +++++++
>> patches/CVE-2012-1099.patch | 46
>> ++++++++++++++++++++++++++++++++++++++++++++
>> patches/series | 1
>> 3 files changed, 55 insertions(+)
>>
>> debdiff, dsc and debian.tar.gz attached
>
> Looks good. Please go ahead and upload this to security-master.
Thanks, uploaded.
For unstable it has been fixed in:
ruby-actionpack-2.3 (2.3.14-3) unstable; urgency=low
* Fix vulnerability for users that generate their own options tags for
use with the select helper in Ruby On Rails [CVE-2012-1099]
(Closes: #668607)
-- Ondřej Surý <ond...@debian.org> Fri, 13 Apr 2012 15:39:31 +0200
O.
--
Ondřej Surý <ond...@sury.org>
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
