Hi Adam These issues have been assigned CVE ids, see below:
CVE-2009-4214[0]: | Cross-site scripting (XSS) vulnerability in the strip_tags function in | Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote | attackers to inject arbitrary web script or HTML via vectors involving | non-printing ASCII characters, related to HTML::Tokenizer and | actionpack/lib/action_controller/vendor/html-scanner/html/node.rb. CVE-2008-7248[1]: | Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify | tokens for requests with certain content types, which allows remote | attackers to bypass cross-site request forgery (CSRF) protection for | requests to applications that rely on this protection, as demonstrated | using text/plain. If you fix the vulnerabilities please also make sure to include the CVE ids in your changelog entry. CVE-2008-7248 does not seem to affect lenny since it does not include 'text' in the @@unverifiable_types. The upstream patch for this issue is here[2] and needs to be included in the sid version. CVE-2009-4214 affects lenny as well and the upstream patch is here[3], please have a deeper look at that change, because I didn't. :) I guess due to CVE-2009-4214 we could fix this via a DSA. When you prepare the updated packages for lenny, please also include a fix for CVE-2009-3086[4]. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4214 http://security-tracker.debian.org/tracker/CVE-2009-4214 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7248 http://security-tracker.debian.org/tracker/CVE-2008-7248 [2] http://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a [3] http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5 [4] http://security-tracker.debian.org/tracker/CVE-2009-3086 Cheers Steffen
signature.asc
Description: This is a digitally signed message part.