[DRE-maint] Bug#668607: CVE-2012-1098 / CVE-2012-1099

Nico Golde nion at debian.org
Fri Apr 13 16:25:47 UTC 2012


Hi,
* Ondřej Surý <ondrej at sury.org> [2012-04-13 15:56]:
> On Fri, Apr 13, 2012 at 14:24, Moritz Muehlenhoff
> <muehlenhoff at univention.de> wrote:
> > Package: rails
> > Severity: grave
> > Tags: security
> >
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1098
> > http://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913?pli=1
> 
> The vulnerable code isn't present in the rail-2.3 (which doesn't mean
> that rails 2.3 is not vulnerable, just that we cannot fix that)
> 
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1099:
> > http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9da0c515a6c4664
> 
> I have adapted upstream patch to rails-2.3, the code seems to be
> reasonably similar to 3.x.
> 
> $ diffstat rails_2.3.5-1.2+squeeze3.debdiff
>  changelog                   |    8 +++++++
>  patches/CVE-2012-1099.patch |   46 ++++++++++++++++++++++++++++++++++++++++++++
>  patches/series              |    1
>  3 files changed, 55 insertions(+)
> 
> debdiff, dsc and debian.tar.gz attached

Looks good. Please go ahead and upload this to security-master.

Thank you!
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20120413/dafd3f98/attachment.pgp>


More information about the Pkg-ruby-extras-maintainers mailing list