Your message dated Sat, 12 May 2012 17:17:11 +0000
with message-id <e1stfwn-0000rs...@franck.debian.org>
and subject line Bug#668607: fixed in rails 2.3.5-1.2+squeeze3
has caused the Debian Bug report #668607,
regarding CVE-2012-1099: Cross-site scripting (XSS) vulnerability in
actionpack/lib/action_view/helpers/form_options_helper.rb in the select helper
in Ruby on Rails 3.0.x
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
668607: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668607
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: rails
Severity: grave
Tags: security
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1098
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913?pli=1
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1099:
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9da0c515a6c4664
Cheers,
Moritz
--- End Message ---
--- Begin Message ---
Source: rails
Source-Version: 2.3.5-1.2+squeeze3
We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive:
libactionmailer-ruby1.8_2.3.5-1.2+squeeze3_all.deb
to main/r/rails/libactionmailer-ruby1.8_2.3.5-1.2+squeeze3_all.deb
libactionmailer-ruby_2.3.5-1.2+squeeze3_all.deb
to main/r/rails/libactionmailer-ruby_2.3.5-1.2+squeeze3_all.deb
libactionpack-ruby1.8_2.3.5-1.2+squeeze3_all.deb
to main/r/rails/libactionpack-ruby1.8_2.3.5-1.2+squeeze3_all.deb
libactionpack-ruby_2.3.5-1.2+squeeze3_all.deb
to main/r/rails/libactionpack-ruby_2.3.5-1.2+squeeze3_all.deb
libactiverecord-ruby1.8_2.3.5-1.2+squeeze3_all.deb
to main/r/rails/libactiverecord-ruby1.8_2.3.5-1.2+squeeze3_all.deb
libactiverecord-ruby1.9.1_2.3.5-1.2+squeeze3_all.deb
to main/r/rails/libactiverecord-ruby1.9.1_2.3.5-1.2+squeeze3_all.deb
libactiverecord-ruby_2.3.5-1.2+squeeze3_all.deb
to main/r/rails/libactiverecord-ruby_2.3.5-1.2+squeeze3_all.deb
libactiveresource-ruby1.8_2.3.5-1.2+squeeze3_all.deb
to main/r/rails/libactiveresource-ruby1.8_2.3.5-1.2+squeeze3_all.deb
libactiveresource-ruby_2.3.5-1.2+squeeze3_all.deb
to main/r/rails/libactiveresource-ruby_2.3.5-1.2+squeeze3_all.deb
libactivesupport-ruby1.8_2.3.5-1.2+squeeze3_all.deb
to main/r/rails/libactivesupport-ruby1.8_2.3.5-1.2+squeeze3_all.deb
libactivesupport-ruby1.9.1_2.3.5-1.2+squeeze3_all.deb
to main/r/rails/libactivesupport-ruby1.9.1_2.3.5-1.2+squeeze3_all.deb
libactivesupport-ruby_2.3.5-1.2+squeeze3_all.deb
to main/r/rails/libactivesupport-ruby_2.3.5-1.2+squeeze3_all.deb
rails-doc_2.3.5-1.2+squeeze3_all.deb
to main/r/rails/rails-doc_2.3.5-1.2+squeeze3_all.deb
rails-ruby1.8_2.3.5-1.2+squeeze3_all.deb
to main/r/rails/rails-ruby1.8_2.3.5-1.2+squeeze3_all.deb
rails_2.3.5-1.2+squeeze3.debian.tar.gz
to main/r/rails/rails_2.3.5-1.2+squeeze3.debian.tar.gz
rails_2.3.5-1.2+squeeze3.dsc
to main/r/rails/rails_2.3.5-1.2+squeeze3.dsc
rails_2.3.5-1.2+squeeze3_all.deb
to main/r/rails/rails_2.3.5-1.2+squeeze3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 668...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ondřej Surý <ond...@debian.org> (supplier of updated rails package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 13 Apr 2012 15:45:20 +0200
Source: rails
Binary: rails rails-ruby1.8 rails-doc libactiverecord-ruby
libactiverecord-ruby1.8 libactiverecord-ruby1.9.1 libactivesupport-ruby
libactivesupport-ruby1.8 libactivesupport-ruby1.9.1 libactionpack-ruby
libactionpack-ruby1.8 libactionmailer-ruby libactionmailer-ruby1.8
libactiveresource-ruby libactiveresource-ruby1.8
Architecture: source all
Version: 2.3.5-1.2+squeeze3
Distribution: stable-security
Urgency: low
Maintainer: Debian Ruby Extras Maintainers
<pkg-ruby-extras-maintain...@lists.alioth.debian.org>
Changed-By: Ondřej Surý <ond...@debian.org>
Description:
libactionmailer-ruby - Framework for generation of customized email messages
libactionmailer-ruby1.8 - Framework for generation of customized email messages
libactionpack-ruby - Controller and View framework used by Rails
libactionpack-ruby1.8 - Controller and View framework used by Rails
libactiverecord-ruby - ORM database interface for ruby
libactiverecord-ruby1.8 - ORM database interface for ruby
libactiverecord-ruby1.9.1 - ORM database interface for ruby
libactiveresource-ruby - Connects objects and REST web services
libactiveresource-ruby1.8 - Connects objects and REST web services
libactivesupport-ruby - utility classes and extensions (Ruby 1.8)
libactivesupport-ruby1.8 - utility classes and extensions (Ruby 1.8)
libactivesupport-ruby1.9.1 - utility classes and extensions (Ruby 1.8)
rails - MVC ruby based framework geared for web application development
rails-doc - Documentation for rails, a MVC ruby based framework
rails-ruby1.8 - MVC ruby based framework geared for web application development
Closes: 668607
Changes:
rails (2.3.5-1.2+squeeze3) stable-security; urgency=low
.
* Fix vulnerability for users that generate their own options tags for
use with the select helper in Ruby On Rails [CVE-2012-1099]
(Closes: #668607)
Checksums-Sha1:
641ff494775ddc9a2cffef58b1d64285dba38435 2082 rails_2.3.5-1.2+squeeze3.dsc
f9ff7a3c8e7779be0b38d7ffac4530ed4fb3f593 24820
rails_2.3.5-1.2+squeeze3.debian.tar.gz
62b09e1607b54b9e81083936900d168254beeb30 12124 rails_2.3.5-1.2+squeeze3_all.deb
c58a5114b13eaf550caa01eb2807b143c1dcdea3 221556
rails-ruby1.8_2.3.5-1.2+squeeze3_all.deb
8b311eb39a5665e163d5605acd2fa59540383954 899352
rails-doc_2.3.5-1.2+squeeze3_all.deb
c0be3b1bb6a353178a767da982887947f364a674 9564
libactiverecord-ruby_2.3.5-1.2+squeeze3_all.deb
c406a3fe33ea67e4ba614cec91363d11f2ab37f9 265136
libactiverecord-ruby1.8_2.3.5-1.2+squeeze3_all.deb
23da0084093c1afebc0c55d13ab4776f724ed157 265146
libactiverecord-ruby1.9.1_2.3.5-1.2+squeeze3_all.deb
636c21a459d11d13de7f9f57952a3737c7ee125a 9508
libactivesupport-ruby_2.3.5-1.2+squeeze3_all.deb
52366c958aa0a35b8bb611988cf3dde1151c36a0 253914
libactivesupport-ruby1.8_2.3.5-1.2+squeeze3_all.deb
725e5282380899a1773ce7abaf65590e1ea554ae 253890
libactivesupport-ruby1.9.1_2.3.5-1.2+squeeze3_all.deb
b7f59fc634281261e89717151073a85762f00b40 9652
libactionpack-ruby_2.3.5-1.2+squeeze3_all.deb
9b3d80da2580843e2e2272e322f332e20eaec275 321838
libactionpack-ruby1.8_2.3.5-1.2+squeeze3_all.deb
ce76b34d6e82029e97cf80f05b2bbc3bbbf6a3f9 9600
libactionmailer-ruby_2.3.5-1.2+squeeze3_all.deb
0b91311b0e0655ec0e72e2e241ceff11401ba3cd 31910
libactionmailer-ruby1.8_2.3.5-1.2+squeeze3_all.deb
8524a2e7f17cafddef69bf7eeae96a554dde75bc 9622
libactiveresource-ruby_2.3.5-1.2+squeeze3_all.deb
b8360782113fe6d07a7f03beee27e639da5f2a40 37032
libactiveresource-ruby1.8_2.3.5-1.2+squeeze3_all.deb
Checksums-Sha256:
de345fdb187171507bf87850133aee9498a10dd14c1fa604f05b263e8a882024 2082
rails_2.3.5-1.2+squeeze3.dsc
db4c4288a9dd16500f21ece8f7a20f54f03b46bc0934afcf904be52a93db81c9 24820
rails_2.3.5-1.2+squeeze3.debian.tar.gz
0d1ae7001cc5c56267ecd7085c6c14609716e3562e37df8c5b4f58b0f74ad237 12124
rails_2.3.5-1.2+squeeze3_all.deb
13b3dc445213e47219ac7864e8f5533b7bb3e0d512f0e317673d107649501adc 221556
rails-ruby1.8_2.3.5-1.2+squeeze3_all.deb
0a720857e4431ef58e3ae8330e6746ebd748586650da64883af89562c85efcb0 899352
rails-doc_2.3.5-1.2+squeeze3_all.deb
63499dce9813fba5e8e2ca4bcf191e20ff00da3a9862e7de16d5bc2dd0a467b6 9564
libactiverecord-ruby_2.3.5-1.2+squeeze3_all.deb
970eb68d8d70ebc2a1db447a64122f4b39e2b0475bfbc64f43ce4144a2e2173e 265136
libactiverecord-ruby1.8_2.3.5-1.2+squeeze3_all.deb
5af46ffb4e8036261ffe722314aed9711a07e6103a17344fbd3a907b0a7c62a7 265146
libactiverecord-ruby1.9.1_2.3.5-1.2+squeeze3_all.deb
879500d35951e4b9048b7ba752fc42e380b4860ba8264316bf3a9fb25ffa9907 9508
libactivesupport-ruby_2.3.5-1.2+squeeze3_all.deb
bdb694202db6e26b19fa93e6906ebfc91a0f548267800fc1cd23271ab5c1297c 253914
libactivesupport-ruby1.8_2.3.5-1.2+squeeze3_all.deb
5c072e1376ee8bd1d1ffba8c6ddc05325b567d0e85fbed61b74cff03cf456589 253890
libactivesupport-ruby1.9.1_2.3.5-1.2+squeeze3_all.deb
ce1d06503777abb22a47480e1e287e476032ce362634c701e3c25c77239a529b 9652
libactionpack-ruby_2.3.5-1.2+squeeze3_all.deb
35101579310396835db509392723d55be0443e7669e9df348363623fbb1d57bc 321838
libactionpack-ruby1.8_2.3.5-1.2+squeeze3_all.deb
24796cbd9349335eb3bf3364f847013b4ae5479e25547bfc47f91a7f6cfe368f 9600
libactionmailer-ruby_2.3.5-1.2+squeeze3_all.deb
5a68f8ef80004b6af8786f4377e803e1a8b7bd5af6afb3fdd841439974db6a9c 31910
libactionmailer-ruby1.8_2.3.5-1.2+squeeze3_all.deb
2bfe2b1100fc34eb495782117d943abc8960d26af29c44f19c22916bb7b814cb 9622
libactiveresource-ruby_2.3.5-1.2+squeeze3_all.deb
f09fb8d40878405fa07cc09487f346aea012d39bbbb77396ba9fb174237c60ce 37032
libactiveresource-ruby1.8_2.3.5-1.2+squeeze3_all.deb
Files:
c78e0b33a0d0b22801ac50dd9395f824 2082 ruby optional
rails_2.3.5-1.2+squeeze3.dsc
40998a924e873f1d56bbec15ae1b03a6 24820 ruby optional
rails_2.3.5-1.2+squeeze3.debian.tar.gz
2c29d5741679b83245a536859f09b879 12124 ruby optional
rails_2.3.5-1.2+squeeze3_all.deb
dc6d340f53ca0c8c4f94b6ac5c1abb02 221556 ruby optional
rails-ruby1.8_2.3.5-1.2+squeeze3_all.deb
fb454f56221d0937819eb5db2bc397ff 899352 doc optional
rails-doc_2.3.5-1.2+squeeze3_all.deb
86b0838f1a9d276962cb7a7d2178e698 9564 ruby optional
libactiverecord-ruby_2.3.5-1.2+squeeze3_all.deb
2a4ce5aada9747f10ac8c3cf1a220575 265136 ruby optional
libactiverecord-ruby1.8_2.3.5-1.2+squeeze3_all.deb
d1ed08541ec5e6cf895a1aa3e60e5fb5 265146 ruby optional
libactiverecord-ruby1.9.1_2.3.5-1.2+squeeze3_all.deb
64276c0d5cd3fd04011c46da6d972063 9508 ruby optional
libactivesupport-ruby_2.3.5-1.2+squeeze3_all.deb
6cac07c3e69a655af79a64c44908fec8 253914 ruby optional
libactivesupport-ruby1.8_2.3.5-1.2+squeeze3_all.deb
27bdcef7385df67dee8b98996261962b 253890 ruby optional
libactivesupport-ruby1.9.1_2.3.5-1.2+squeeze3_all.deb
48a66428ac0f6100c79076d705d8367a 9652 ruby optional
libactionpack-ruby_2.3.5-1.2+squeeze3_all.deb
0c87f70ddbe44a5f7edf28b5512c26d2 321838 ruby optional
libactionpack-ruby1.8_2.3.5-1.2+squeeze3_all.deb
b0abdd874c5f5b29c0b8be0a671c42dd 9600 ruby optional
libactionmailer-ruby_2.3.5-1.2+squeeze3_all.deb
44c7e7811c9695905a20603e4f98fa2d 31910 ruby optional
libactionmailer-ruby1.8_2.3.5-1.2+squeeze3_all.deb
eb729ac86aaa0f94c605275bdb38c19e 9622 ruby optional
libactiveresource-ruby_2.3.5-1.2+squeeze3_all.deb
13900476cb517f4d42499064a1db9980 37032 ruby optional
libactiveresource-ruby1.8_2.3.5-1.2+squeeze3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJPq/tlAAoJEOxfUAG2iX571mcH/iMj6Xin5dYtZ5zaLxBlfihQ
Eswl+0od11Fx4ZJacPOOsSDkY83ZOLUp8MD7RfMPbYSxNflnVyhr5t5GWr9azXr7
ak19MM26A+6HnrI80zg4i1l7RdttRafx2fjSRVXMk/0F09FC1uXb4jxDedFOKOqe
QiRq/BKOmRUdKLNDJV5fBFTfzsxFwMIHdlV7jAq5EuofPCWfSJBlxbEMyt/WztLN
WEy5wXKnwfCvBnUMML9ckt05YYHV46+lnLAviKsxSCurlUukpUGKUsGIip3xWNEj
dwoIdjQOEjouShkrdSZPqPyKDJMiZjN7izz5+2bSuErTQdszC2kz7ZMJfs1rrEo=
=tgPc
-----END PGP SIGNATURE-----
--- End Message ---
