Hi, * Ondřej Surý <[email protected]> [2012-04-13 15:56]: > On Fri, Apr 13, 2012 at 14:24, Moritz Muehlenhoff > <[email protected]> wrote: > > Package: rails > > Severity: grave > > Tags: security > > > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1098 > > http://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913?pli=1 > > The vulnerable code isn't present in the rail-2.3 (which doesn't mean > that rails 2.3 is not vulnerable, just that we cannot fix that) > > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1099: > > http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9da0c515a6c4664 > > I have adapted upstream patch to rails-2.3, the code seems to be > reasonably similar to 3.x. > > $ diffstat rails_2.3.5-1.2+squeeze3.debdiff > changelog | 8 +++++++ > patches/CVE-2012-1099.patch | 46 > ++++++++++++++++++++++++++++++++++++++++++++ > patches/series | 1 > 3 files changed, 55 insertions(+) > > debdiff, dsc and debian.tar.gz attached
Looks good. Please go ahead and upload this to security-master. Thank you! Nico -- Nico Golde - http://www.ngolde.de - [email protected] - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.
pgpsaSRKbNzLo.pgp
Description: PGP signature
