On Fri, Apr 13, 2012 at 18:25, Nico Golde <[email protected]> wrote:
> Hi,
> * Ondřej Surý <[email protected]> [2012-04-13 15:56]:
>> On Fri, Apr 13, 2012 at 14:24, Moritz Muehlenhoff
>> <[email protected]> wrote:
>> > Package: rails
>> > Severity: grave
>> > Tags: security
>> >
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1098
>> > http://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913?pli=1
>>
>> The vulnerable code isn't present in the rail-2.3 (which doesn't mean
>> that rails 2.3 is not vulnerable, just that we cannot fix that)
>>
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1099:
>> > http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9da0c515a6c4664
>>
>> I have adapted upstream patch to rails-2.3, the code seems to be
>> reasonably similar to 3.x.
>>
>> $ diffstat rails_2.3.5-1.2+squeeze3.debdiff
>> changelog | 8 +++++++
>> patches/CVE-2012-1099.patch | 46
>> ++++++++++++++++++++++++++++++++++++++++++++
>> patches/series | 1
>> 3 files changed, 55 insertions(+)
>>
>> debdiff, dsc and debian.tar.gz attached
>
> Looks good. Please go ahead and upload this to security-master.
Thanks, uploaded.
For unstable it has been fixed in:
ruby-actionpack-2.3 (2.3.14-3) unstable; urgency=low
* Fix vulnerability for users that generate their own options tags for
use with the select helper in Ruby On Rails [CVE-2012-1099]
(Closes: #668607)
-- Ondřej Surý <[email protected]> Fri, 13 Apr 2012 15:39:31 +0200
O.
--
Ondřej Surý <[email protected]>
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
