On 8/27/10 4:27 PM, "Leibowitz, Michael" <[email protected]> wrote:
>On Fri, 2010-08-27 at 16:23 -0700, Ware, Ryan R wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >>========================================================================= >>== >> == >> MeeGo-SA-10:19.ruby Security Advisory >> MeeGo >> Project >> >> Topic: Remote Script Injection via Ruby WEBrick >> >> Category: Scripting >> Module: ruby >> Announced: August 3, 2010 >> Affects: MeeGo 1.0 >> Corrected: August 3, 2010 >> MeeGo BID: 3357 >> CVE: CVE-2010-0541 >... >> Cross-site scripting (XSS) vulnerability in the WEBrick HTTP server in >> Ruby in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, allows remote >> attackers to inject arbitrary web script or HTML via a crafted URI >> that triggers a UTF-7 error page. > >This affects Mac OS X according to the description. Is it more than >that? Why are we incorporating patches that only affect other >platforms? > We are not including patches that only affect other platforms. The official CVE entry specifically mentions the ruby on Mac because it is Apple that published the vulnerability (APPLE:APPLE-SA-2010-06-15-1). I considered changing the wording to make it explicitly clear that this did affect MeeGo, but my previous commitment is to explicitly use the description information as published by Mitre as part of the CVE. Ryan
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ MeeGo-dev mailing list [email protected] http://lists.meego.com/listinfo/meego-dev
