> - CVE-2011-2932 does seem to affect lucid, as the insecure code seems to be present in actionpack/lib/action_view/erb/util.rb
Ah yes, but the affected code is in actionpack/lib/action_view/template_handlers/erb.rb > - Please add the upstream commit that fixed each issue to debian/changelog, so we can trace where the fix came from I've added links to the rubyonrails-security threads. > Also, did you successfully run the test suite after updating the package? Yes, for mysql and sqlite. One test failed but I think that's an error in the test code that seems to be fixed by https://rails.lighthouseapp.com/projects/8994/tickets/3826-patch-failure-on-test_validates_acceptance_of_as_database_column I've also discovered a mistake in the patch for CVE-2011-0446 which I've fixed now. ** Patch added: "rails_2.2.3-2ubuntu0.1_v2.debdiff" https://bugs.launchpad.net/ubuntu/+source/rails/+bug/870846/+attachment/2538714/+files/rails_2.2.3-2ubuntu0.1_v2.debdiff ** Changed in: rails (Ubuntu Lucid) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/870846 Title: several vulnerabilities in rails To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rails/+bug/870846/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
