[DRE-maint] Bug#668607: CVE-2012-1098 / CVE-2012-1099
Ondřej Surý
ondrej at sury.org
Sun Apr 15 08:53:12 UTC 2012
On Fri, Apr 13, 2012 at 18:25, Nico Golde <nion at debian.org> wrote:
> Hi,
> * Ondřej Surý <ondrej at sury.org> [2012-04-13 15:56]:
>> On Fri, Apr 13, 2012 at 14:24, Moritz Muehlenhoff
>> <muehlenhoff at univention.de> wrote:
>> > Package: rails
>> > Severity: grave
>> > Tags: security
>> >
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1098
>> > http://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913?pli=1
>>
>> The vulnerable code isn't present in the rail-2.3 (which doesn't mean
>> that rails 2.3 is not vulnerable, just that we cannot fix that)
>>
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1099:
>> > http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9da0c515a6c4664
>>
>> I have adapted upstream patch to rails-2.3, the code seems to be
>> reasonably similar to 3.x.
>>
>> $ diffstat rails_2.3.5-1.2+squeeze3.debdiff
>> changelog | 8 +++++++
>> patches/CVE-2012-1099.patch | 46 ++++++++++++++++++++++++++++++++++++++++++++
>> patches/series | 1
>> 3 files changed, 55 insertions(+)
>>
>> debdiff, dsc and debian.tar.gz attached
>
> Looks good. Please go ahead and upload this to security-master.
Thanks, uploaded.
For unstable it has been fixed in:
ruby-actionpack-2.3 (2.3.14-3) unstable; urgency=low
* Fix vulnerability for users that generate their own options tags for
use with the select helper in Ruby On Rails [CVE-2012-1099]
(Closes: #668607)
-- Ondřej Surý <ondrej at debian.org> Fri, 13 Apr 2012 15:39:31 +0200
O.
--
Ondřej Surý <ondrej at sury.org>
More information about the Pkg-ruby-extras-maintainers
mailing list