[DRE-maint] Bug#668607: CVE-2012-1098 / CVE-2012-1099

[Ondřej Surý]

Hi Moritz,

thanks for reminder.

On Fri, Apr 13, 2012 at 14:24, Moritz Muehlenhoff
<muehlenhoff at univention.de> wrote:
> Package: rails
> Severity: grave
> Tags: security
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1098
> http://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913?pli=1

The vulnerable code isn't present in the rail-2.3 (which doesn't mean
that rails 2.3 is not vulnerable, just that we cannot fix that)

> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1099:
> http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9da0c515a6c4664

I have adapted upstream patch to rails-2.3, the code seems to be
reasonably similar to 3.x.

$ diffstat rails_2.3.5-1.2+squeeze3.debdiff
 changelog                   |    8 +++++++
 patches/CVE-2012-1099.patch |   46 ++++++++++++++++++++++++++++++++++++++++++++
 patches/series              |    1
 3 files changed, 55 insertions(+)

debdiff, dsc and debian.tar.gz attached

Ondrej
-- 
Ondřej Surý <ondrej at sury.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rails_2.3.5-1.2+squeeze3.debdiff
Type: application/octet-stream
Size: 3464 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20120413/4ed6336f/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rails_2.3.5-1.2+squeeze3.debian.tar.gz
Type: application/x-gzip
Size: 24820 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20120413/4ed6336f/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rails_2.3.5-1.2+squeeze3.dsc
Type: application/octet-stream
Size: 1543 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20120413/4ed6336f/attachment-0003.obj>