[Bug 163054] Please sync rails 1.2.4-1 (universe) from Debian unstable (main)
william at qeuni.net
Fri Nov 16 08:55:22 GMT 2007
Public bug reported:
-----BEGIN PGP SIGNED MESSAGE-----
Please sync rails 1.2.4-1 (universe) from Debian unstable (main).
Explanation of the Ubuntu delta and why it can be dropped:
libmocha-ruby1.8 dependency can be readded; we have it in Hardy.
Changelog since current hardy version 1.2.4-1ubuntu1:
rails (1.2.5-1) unstable; urgency=high
* This is a new upstream release that addresses problems not
corrected in 1.2.4 or regressions.
+ to_json XSS [CVE-2007-3227] is really closed now
+ Potential Information Disclosure or DoS with Hash#from_xml
+ Session Fixation attacks. [CVE-2007-5380] URL based sessions are
now disabled by default. Session ids are only accepted from
cookies by default now.
* Urgency set to high due to security issues addressed
-- Adam Majer <adamm at zombino.com> Sun, 14 Oct 2007 21:12:34 -0500
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
-----END PGP SIGNATURE-----
** Affects: rails (Ubuntu)
Please sync rails 1.2.4-1 (universe) from Debian unstable (main)
You received this bug notification because you are a member of Ubuntu
Package Archive Administrators, which is a direct subscriber.
More information about the ubuntu-archive