Thanks Matthew, I'll alert the LTS team to this thread for their input :)
On Wednesday, January 27, 2016 at 11:34:18 AM UTC+13, matthewd wrote: > > > > Rails LTS has released their own patched version of 3.2.22 with the > following notes: > > > > [CVE-2016-0753] Possible Input Validation Circumvention in Active Model > > [..] > > Despite what the announcement said, Rails 3.2 is affected. The issue is > patched in the new LTS release. > > > > [CVE-2015-7581] Object leak vulnerability for wildcard controller routes > in Action Pack > > [..] > > Despite what the announcement said, Rails 3.2 is affected. The issue is > patched in the new LTS release. > > > > Given they've identified 3.2 is affected by those two issues, will there > be a new official release of 3.2.22 to patch those two vulnerabilities > also? > > > Details of security issues welcome: > > > If you run in to security issues, please follow the reporting process > which can be found [here](http://rubyonrails.org/security/). > > > We obviously evaluated all the issues for applicability to 3.2; it’s very > possible we missed something, but if so, we may need a more specific hint > than “it’s there”. Anyway, we’ll have another look. > > > Matthew > > > -- > [email protected] <javascript:> > > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/d/optout.
