[Bug 163054] Please sync rails 1.2.4-1 (universe) from Debian unstable (main)
William Grant
william at qeuni.net
Fri Nov 16 08:55:22 GMT 2007
Public bug reported:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
affects ubuntu/rails
status confirmed
subscribe ubuntu-archive
Please sync rails 1.2.4-1 (universe) from Debian unstable (main).
Explanation of the Ubuntu delta and why it can be dropped:
libmocha-ruby1.8 dependency can be readded; we have it in Hardy.
Changelog since current hardy version 1.2.4-1ubuntu1:
rails (1.2.5-1) unstable; urgency=high
* This is a new upstream release that addresses problems not
corrected in 1.2.4 or regressions.
+ to_json XSS [CVE-2007-3227] is really closed now
+ Potential Information Disclosure or DoS with Hash#from_xml
[CVE-2007-5379]
+ Session Fixation attacks. [CVE-2007-5380] URL based sessions are
now disabled by default. Session ids are only accepted from
cookies by default now.
[Micah Anderson]
* Urgency set to high due to security issues addressed
-- Adam Majer <adamm at zombino.com> Sun, 14 Oct 2007 21:12:34 -0500
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHPVr3Ac+S8KckfcURAr19AJ4orUgRx43m98rct2YhfnrKIL66aQCfRWVe
XTzjYRdaibo+XH1zjiB0v+0=
=kNma
-----END PGP SIGNATURE-----
** Affects: rails (Ubuntu)
Importance: Undecided
Status: Confirmed
--
Please sync rails 1.2.4-1 (universe) from Debian unstable (main)
https://bugs.launchpad.net/bugs/163054
You received this bug notification because you are a member of Ubuntu
Package Archive Administrators, which is a direct subscriber.
More information about the ubuntu-archive
mailing list