Just a heads-up: versions of rubygem-extlib < 0.9.16 are similarly vulnerable and, depending on loading order, might reopen the security hole in Rails applications since the patched Rails version of the Hash#from_xml method is replaced by extlibs version.
Regards, René van den Berg On Thu, Jan 10, 2013 at 4:31 PM, Vít Ondruch <[email protected]> wrote: > Dne 10.1.2013 16:29, Vít Ondruch napsal(a): > >> Dne 10.1.2013 16:14, Tejas Dinkar napsal(a): >>> >>> Just in case you guys hadn't heard about it: >>> https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ >>> <https://groups.google.com/forum/?fromgroups=#%21topic/rubyonrails-security/61bkgvnSGTQ> >>> >>> This is considered an urgent fix. >>> >>> >> >> Thank you for heads-up. >> >> Rawhide was updated to Rails 3.2.11 yesterday and there are already >> updates for F18 [1] and F17 [2]. >> >> Unfortunately, there is one incompatibility > > > [3] ... forgot to reference it :) > > >> introduced by these fixes, so I am not sure if I should push it into >> stable. >> >> Working on F16 now but I am afraid I'm not going to make it today :/ But >> somebody will continue where I will end. >> >> >> >> Vít >> >> >> >> [1] >> https://admin.fedoraproject.org/updates/rubygem-actionpack-3.2.8-2.fc18,rubygem-activerecord-3.2.8-3.fc18,rubygem-activesupport-3.2.8-2.fc18 >> [2] >> https://admin.fedoraproject.org/updates/rubygem-actionpack-3.0.11-8.fc17,rubygem-activerecord-3.0.11-5.fc17,rubygem-activemodel-3.0.11-2.fc17,rubygem-activesupport-3.0.11-7.fc17 >> [3] https://github.com/rails/rails/issues/8832 >> _______________________________________________ >> ruby-sig mailing list >> [email protected] >> https://admin.fedoraproject.org/mailman/listinfo/ruby-sig > > > _______________________________________________ > ruby-sig mailing list > [email protected] > https://admin.fedoraproject.org/mailman/listinfo/ruby-sig _______________________________________________ ruby-sig mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/ruby-sig
