Thanks for the debdiff, but I have a few comments: - CVE-2011-2932 does seem to affect lucid, as the insecure code seems to be present in actionpack/lib/action_view/erb/util.rb - Please add the upstream commit that fixed each issue to debian/changelog, so we can trace where the fix came from
Also, did you successfully run the test suite after updating the package? I'm curious if this actually worked: + 'Mysql2Adapter' => '`', For Maverick and Natty, we're going to need minimal debdiffs also, as natty has a ubuntu-specific change in it, and the debian update contains some other changes which are not currently in maverick. I am unsubscribing ubuntu-security-sponsors for now, please fix the debdiff. Once that is done, please resubscribe ubuntu-security-sponsors and set the status to 'NEW'. Thanks. ** CVE added: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2011-2932 ** Tags added: patch-needswork ** Changed in: rails (Ubuntu Lucid) Status: New => Incomplete ** Changed in: rails (Ubuntu Lucid) Assignee: (unassigned) => Felix Geyer (debfx) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/870846 Title: several vulnerabilities in rails To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rails/+bug/870846/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
