hi, > For further information see:
> [0] http://security-tracker.debian.org/tracker/CVE-2013-0262 > [1] http://security-tracker.debian.org/tracker/CVE-2013-0263 > Please adjust the affected versions in the BTS as needed. > Note: According to the red hat bugtracker for CVE-2013-0262 only > versions after 1.4.x are affected, for CVE-2013-0263 all previous > versions. Could you please double check this, and mark > accordingly? With a quick look: the code which raises CVE-2013-0262 (calculate path depth sequentially) was introduced in rack-1.4.0. So stable version (librack-ruby 1.1.0-4) is not affected. the code which raises CVE-2013-0263 (needs time string comparison) also affects stable version: https://github.com/rack/rack/blob/1.1/lib/rack/session/cookie.rb#L49 This bts would have better to be split? regards, -- KURASHIKI Satoru _______________________________________________ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
