[DRE-maint] Bug#668607: CVE-2012-1098 / CVE-2012-1099
Nico Golde
nion at debian.org
Fri Apr 13 16:25:47 UTC 2012
Hi,
* Ondřej Surý <ondrej at sury.org> [2012-04-13 15:56]:
> On Fri, Apr 13, 2012 at 14:24, Moritz Muehlenhoff
> <muehlenhoff at univention.de> wrote:
> > Package: rails
> > Severity: grave
> > Tags: security
> >
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1098
> > http://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913?pli=1
>
> The vulnerable code isn't present in the rail-2.3 (which doesn't mean
> that rails 2.3 is not vulnerable, just that we cannot fix that)
>
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1099:
> > http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9da0c515a6c4664
>
> I have adapted upstream patch to rails-2.3, the code seems to be
> reasonably similar to 3.x.
>
> $ diffstat rails_2.3.5-1.2+squeeze3.debdiff
> changelog | 8 +++++++
> patches/CVE-2012-1099.patch | 46 ++++++++++++++++++++++++++++++++++++++++++++
> patches/series | 1
> 3 files changed, 55 insertions(+)
>
> debdiff, dsc and debian.tar.gz attached
Looks good. Please go ahead and upload this to security-master.
Thank you!
Nico
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20120413/dafd3f98/attachment.pgp>
More information about the Pkg-ruby-extras-maintainers
mailing list