Also, after talking with my old colleagues, I just realized that they might be using Ruby 1.8 and not 1.9.1. It seems we have triaged those out of the picture, but maybe all 1.8 packages are affected by a bunch of those issues too? This looks suspiciously sparse:
https://security-tracker.debian.org/tracker/source-package/ruby1.8 ... when compared to the larger: https://security-tracker.debian.org/tracker/source-package/ruby1.9.1 I feel it's quite possible we have forgotten a bunch of CVEs in Ruby 1.8, is it possible? A.
