Package: rails; Maintainer for rails is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>; Source for rails is src:rails (PTS, buildd, popcon).
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Wed, 23 Feb 2011 21:45:01 UTC
Severity: grave
Tags: security
Fixed in versions rails/2.3.11-0.1, rails/2.3.5-1.2+squeeze0.1
Done: Ondřej Surý <ondrej@debian.org>
Bug is archived. No further changes may be made.
View this report as an mbox folder, status mbox, maintainer mbox
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Adam Majer <adamm@zombino.com>:
Bug#614864; Package rails.
(Wed, 23 Feb 2011 21:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Adam Majer <adamm@zombino.com>.
(Wed, 23 Feb 2011 21:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: rails Severity: grave Tags: security Please see http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4 Cheers, Moritz -- System Information: Debian Release: 6.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.37-1-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
Information forwarded
to debian-bugs-dist@lists.debian.org, Adam Majer <adamm@zombino.com>:
Bug#614864; Package rails.
(Fri, 04 Mar 2011 15:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to micah anderson <micah@riseup.net>:
Extra info received and forwarded to list. Copy sent to Adam Majer <adamm@zombino.com>.
(Fri, 04 Mar 2011 15:57:03 GMT) (full text, mbox, link).
Message #10 received at 614864@bugs.debian.org (full text, mbox, reply):
Hi, I decided to help a little bit moving these issues forward. I did what I could, but now the more experienced debian rails people need to act. In particular, there is a decision that needs to be made for CVE-2011-0446, and a review of the fix I did for CVE-2011-0447. I am happy to help facilitate in any other way, but I need others who have more experience to weigh in on those. Both of these CVEs affect all versions of rails, including those in oldstable. CVE-2011-0446 ------------- Patch for rails 2.3 to fix CVE-2011-0446 is here: http://rubyonrails-security.googlegroups.com/attach/365b8a23b76a6b4a/2-3-mailto.patch?part=3 The upstream commit id is: abe97736b8316f1b714cac56c115c0779aa73217 Looking through the commit log for the above fix, it was done to rails 2.3.11, which has had three other commits that touched actionpack/lib/action_view/helpers/url_helper.rb, the largest one is 9ca6df83f606a0fb8be3815328111d0cdaa7c65b which backports html_safe and the latest rails_xss plugin. This change seems to be a pre-requisite for the security fix, the sad thing is that it is a big change. I did not do anything with CVE-2011-0446 as it was intrusive, hopefully others who have experience with this package can weigh in on the best way forwards with this one. Once this is resolved a security release could happen. CVE-2011-0447 ------------- The patch for rails 2.1 to fix CVE-2011-0447 is here: http://rubyonrails-security.googlegroups.com/attach/c22ea1668c0d181c/2-1-csrf.patch?part=3 I was able to cherry-pick this commit (d622353dd399908770473d417ecef028524b8c8b) from upstream's git repo into the debian debian-lenny branch without any conflicts. I went ahead and did that and have committed it, along with a changelog entry and a NEWS entry that comes straight from the mailing list. It is my opinion that the fix for lenny in 2.1 is done. Please someone who has more skills in rails review this to make sure it is good, and then I think it can be uploaded after contacting the security team. The patch for rails 2.3 to fix CVE-2011-0447 is here: http://rubyonrails-security.googlegroups.com/attach/c22ea1668c0d181c/2-3-csrf.patch?part=5 I was able to cherry-pick this commit (9998f79b9cf9c60b07baf4c23a02178034e06d85) from upstream's git repo into the debian v2.3-stable branch without any conflicts. I also went ahead and committed this change, along with a changelog entry and a NEWS entry that came from the mailing list, identical to the debian-lenny 2.1 one above. Once CVE-2011-0446 has been resolved for 2.3, then this can be uploaded. A few notes: 1. I noticed that the upload that made it into squeeze was never tagged as debian/2.3.5-1.2, so I went ahead and did that. 2. I wasn't sure what the difference between the branch 'debian-lenny' and v2.1-stable were. The 'debian-lenny' one seemed to have the most recent security fixes, and had a debian directory, so I went with that one. 3. v2.3-stable seemed to be the place for squeeze fixes, which differs from the nomenclature used in #2, perhaps that fix should be in a debian-squeeze branch? If so, then please change it, and clarify #2 for v2.3-stable too. Micah
Information forwarded
to debian-bugs-dist@lists.debian.org, Adam Majer <adamm@zombino.com>:
Bug#614864; Package rails.
(Thu, 17 Mar 2011 18:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to micah anderson <micah@riseup.net>:
Extra info received and forwarded to list. Copy sent to Adam Majer <adamm@zombino.com>.
(Thu, 17 Mar 2011 18:18:03 GMT) (full text, mbox, link).
Message #15 received at 614864@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi folks, This security issue really needs to be dealt with, I'm concerned that we are getting close to one month from when the bug was first reported to the BTS, we are already over one month from when the bug was reported upstream. I'm looking for any feedback on the work I did... micah --
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#614864; Package rails.
(Mon, 21 Mar 2011 07:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Adam Majer <adamm@zombino.com>:
Extra info received and forwarded to list.
(Mon, 21 Mar 2011 07:15:03 GMT) (full text, mbox, link).
Message #20 received at 614864@bugs.debian.org (full text, mbox, reply):
On Thu, Mar 17, 2011 at 02:15:02PM -0400, micah anderson wrote: > > Hi folks, > > This security issue really needs to be dealt with, I'm concerned that we > are getting close to one month from when the bug was first reported to > the BTS, we are already over one month from when the bug was reported > upstream. > > I'm looking for any feedback on the work I did... Your work is fine. I'll get this done tomorrow. I'm having a little bit of a problem with unit tests for actionpack though. I know they *used to* work in not so recent past. - Adam -- Adam Majer adamm@zombino.com
Information forwarded
to debian-bugs-dist@lists.debian.org, Adam Majer <adamm@zombino.com>:
Bug#614864; Package rails.
(Fri, 27 May 2011 10:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Ondřej Surý <ondrej@sury.org>:
Extra info received and forwarded to list. Copy sent to Adam Majer <adamm@zombino.com>.
(Fri, 27 May 2011 10:21:08 GMT) (full text, mbox, link).
Message #25 received at 614864@bugs.debian.org (full text, mbox, reply):
Hi Adam, since you're last upload of rails happened more than year ago and there are 3 RC bugs open right now (including two CVEs), my question is if you still have a resources to properly take care of rails. Maybe it's time to find co-maintainers? Anyway if I don't hear from you, I am going to NMU (2-day DELAY) the package based on the work in the git repository this week. Ccing Micah who did the last CVE fixes in the repository. O. -- Ondřej Surý <ondrej@sury.org>
Reply sent
to Ondřej Surý <ondrej@debian.org>:
You have taken responsibility.
(Mon, 30 May 2011 13:51:12 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Mon, 30 May 2011 13:51:12 GMT) (full text, mbox, link).
Message #30 received at 614864-close@bugs.debian.org (full text, mbox, reply):
Source: rails Source-Version: 2.3.11-0.1 We believe that the bug you reported is fixed in the latest version of rails, which is due to be installed in the Debian FTP archive: libactionmailer-ruby1.8_2.3.11-0.1_all.deb to main/r/rails/libactionmailer-ruby1.8_2.3.11-0.1_all.deb libactionmailer-ruby_2.3.11-0.1_all.deb to main/r/rails/libactionmailer-ruby_2.3.11-0.1_all.deb libactionpack-ruby1.8_2.3.11-0.1_all.deb to main/r/rails/libactionpack-ruby1.8_2.3.11-0.1_all.deb libactionpack-ruby_2.3.11-0.1_all.deb to main/r/rails/libactionpack-ruby_2.3.11-0.1_all.deb libactiverecord-ruby1.8_2.3.11-0.1_all.deb to main/r/rails/libactiverecord-ruby1.8_2.3.11-0.1_all.deb libactiverecord-ruby1.9.1_2.3.11-0.1_all.deb to main/r/rails/libactiverecord-ruby1.9.1_2.3.11-0.1_all.deb libactiverecord-ruby_2.3.11-0.1_all.deb to main/r/rails/libactiverecord-ruby_2.3.11-0.1_all.deb libactiveresource-ruby1.8_2.3.11-0.1_all.deb to main/r/rails/libactiveresource-ruby1.8_2.3.11-0.1_all.deb libactiveresource-ruby_2.3.11-0.1_all.deb to main/r/rails/libactiveresource-ruby_2.3.11-0.1_all.deb libactivesupport-ruby1.8_2.3.11-0.1_all.deb to main/r/rails/libactivesupport-ruby1.8_2.3.11-0.1_all.deb libactivesupport-ruby1.9.1_2.3.11-0.1_all.deb to main/r/rails/libactivesupport-ruby1.9.1_2.3.11-0.1_all.deb libactivesupport-ruby_2.3.11-0.1_all.deb to main/r/rails/libactivesupport-ruby_2.3.11-0.1_all.deb rails-doc_2.3.11-0.1_all.deb to main/r/rails/rails-doc_2.3.11-0.1_all.deb rails-ruby1.8_2.3.11-0.1_all.deb to main/r/rails/rails-ruby1.8_2.3.11-0.1_all.deb rails_2.3.11-0.1.debian.tar.gz to main/r/rails/rails_2.3.11-0.1.debian.tar.gz rails_2.3.11-0.1.dsc to main/r/rails/rails_2.3.11-0.1.dsc rails_2.3.11-0.1_all.deb to main/r/rails/rails_2.3.11-0.1_all.deb rails_2.3.11.orig.tar.gz to main/r/rails/rails_2.3.11.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 614864@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ondřej Surý <ondrej@debian.org> (supplier of updated rails package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Mon, 30 May 2011 14:58:12 +0200 Source: rails Binary: rails rails-ruby1.8 rails-doc libactiverecord-ruby libactiverecord-ruby1.8 libactiverecord-ruby1.9.1 libactivesupport-ruby libactivesupport-ruby1.8 libactivesupport-ruby1.9.1 libactionpack-ruby libactionpack-ruby1.8 libactionmailer-ruby libactionmailer-ruby1.8 libactiveresource-ruby libactiveresource-ruby1.8 Architecture: source all Version: 2.3.11-0.1 Distribution: unstable Urgency: medium Maintainer: Adam Majer <adamm@zombino.com> Changed-By: Ondřej Surý <ondrej@debian.org> Description: libactionmailer-ruby - Framework for generation of customized email messages libactionmailer-ruby1.8 - Framework for generation of customized email messages libactionpack-ruby - Controller and View framework used by Rails libactionpack-ruby1.8 - Controller and View framework used by Rails libactiverecord-ruby - ORM database interface for ruby libactiverecord-ruby1.8 - ORM database interface for ruby libactiverecord-ruby1.9.1 - ORM database interface for ruby libactiveresource-ruby - Connects objects and REST web services libactiveresource-ruby1.8 - Connects objects and REST web services libactivesupport-ruby - utility classes and extensions (Ruby 1.8) libactivesupport-ruby1.8 - utility classes and extensions (Ruby 1.8) libactivesupport-ruby1.9.1 - utility classes and extensions (Ruby 1.8) rails - MVC ruby based framework geared for web application development rails-doc - Documentation for rails, a MVC ruby based framework rails-ruby1.8 - MVC ruby based framework geared for web application development Closes: 546037 587767 614864 616456 618221 622829 Changes: rails (2.3.11-0.1) unstable; urgency=medium . * Non-maintainer upload. * Imported Upstream version 2.3.11 (Closes: #616456) + Works with rubygems 1.6.x (Closes: #622829, #618221) + Fix XSS Risk in mail_to :encode=>:javascript [CVE-2011-0446] + Fix CSRF Bypass Risk: [CVE-2011-0447] (Closes: #614864) + I18N interpolation deprecation was removed in v2.3.6 (Closes: #546037) * Update dependencies on tmail (>= 1.2.7) and i18n (>= 0.4.1) * Adapt patches to the new release * Add Breaks: redmine (<< 1.1.3-1) * Add rubygems{1.8,1.9.1} dependency to all packages (Closes: #587767) Checksums-Sha1: 969c40ea783af414e2d8cd7f5c04a6019a5f93fa 2043 rails_2.3.11-0.1.dsc 3aad70662499a7dac943b1d8c8e0cabedd98fea4 3416081 rails_2.3.11.orig.tar.gz f7a1c66835494a93a9fcdb29ecc8dc9ef3d17707 17444 rails_2.3.11-0.1.debian.tar.gz 2afd78ee91bf3c8b3ec47871ae4605b624edc933 11974 rails_2.3.11-0.1_all.deb 295ffb97b207cd465c0f8fb326c3e8b61972e8f7 222784 rails-ruby1.8_2.3.11-0.1_all.deb d71192967048e7b268d8d3449d13c0474db65854 922666 rails-doc_2.3.11-0.1_all.deb 008cef6c9861b95148bf530289e49647231396c9 9444 libactiverecord-ruby_2.3.11-0.1_all.deb 56398b9d9dc1e3a7a63d34ec1eed0158d08afe9c 268580 libactiverecord-ruby1.8_2.3.11-0.1_all.deb 49dd4dc5897012609cd69fb1e9d07812212a23be 269118 libactiverecord-ruby1.9.1_2.3.11-0.1_all.deb 34038c63c16df34f57f042e566f4619e5814635d 9382 libactivesupport-ruby_2.3.11-0.1_all.deb ac412032c595a110d6e724f4974d6628b377fbf6 255620 libactivesupport-ruby1.8_2.3.11-0.1_all.deb 928c78faf5c4055e409ae7c23b8473eca594e881 255592 libactivesupport-ruby1.9.1_2.3.11-0.1_all.deb 72776e036be389356d4c122bcc6281845a727a80 9506 libactionpack-ruby_2.3.11-0.1_all.deb 93333b56e771afe54275cf5e6e18ae8c7d06af67 324288 libactionpack-ruby1.8_2.3.11-0.1_all.deb 8cf18c973a9be2ce565846270769e4d7dcc8171b 9478 libactionmailer-ruby_2.3.11-0.1_all.deb 0fc07cb888d0fd8642b2e14fbc4692dc48d9d880 32048 libactionmailer-ruby1.8_2.3.11-0.1_all.deb 5c8d7dc10f30194b781e741ad66c242eb0f904a3 9470 libactiveresource-ruby_2.3.11-0.1_all.deb f25a83bf0971e77e688b1835549d191a64229875 37596 libactiveresource-ruby1.8_2.3.11-0.1_all.deb Checksums-Sha256: 4f14ec824ef1e4dcb1ac3f431b83c08f429b030a6062dba6962893df13376086 2043 rails_2.3.11-0.1.dsc 60842a97e8a6ac03b60ed54f2c12f1b0991ede61c131074ef81edf14a70170ff 3416081 rails_2.3.11.orig.tar.gz d0848b2ca5ce2c700158e0b4ec84e190dd2b8998b71c2945ae80f329a7f96d09 17444 rails_2.3.11-0.1.debian.tar.gz 7c45d8c8c757d4ed58818ad47cb28d9b127b7592e8cdee853c9a2fbda21cec8a 11974 rails_2.3.11-0.1_all.deb 712f85bb65097aec41dd353dd5bc55971f17ce90f4d98c46ba10af7a5a43e449 222784 rails-ruby1.8_2.3.11-0.1_all.deb f970e8c159f8f1bd4aa932e1e210a3f221a67dbc5c1a54a438dd561eeed0c439 922666 rails-doc_2.3.11-0.1_all.deb 1b7cf2c97cd50269ebc9302689ecd72652fddc5c5d40307a4416932340111e5a 9444 libactiverecord-ruby_2.3.11-0.1_all.deb 96e7290dc0c16906ae0f4b048e22b4cd194bc3c2a3938b9c3ecf0dbb85c33b24 268580 libactiverecord-ruby1.8_2.3.11-0.1_all.deb 6cc7bd029b8d2809fcecd5dcddb818b9d71306df9f917c572eff9f0433610b6c 269118 libactiverecord-ruby1.9.1_2.3.11-0.1_all.deb f42507d6ae29fc2bb123aa7097f5297e9ad0c3d39a67b83cc453738cbb76d139 9382 libactivesupport-ruby_2.3.11-0.1_all.deb 3eff06cec0b36a3f2b27df8e8118649ef7e5fe994d050492be037c7d42463528 255620 libactivesupport-ruby1.8_2.3.11-0.1_all.deb 7fef0ba541a1da37be8b4c018c69387e78e206eec27f278165f79b38cb13e23a 255592 libactivesupport-ruby1.9.1_2.3.11-0.1_all.deb 47779f11a48e2e0a187fdecdc1b7ef22f3bfdfa0c0c1dee1687a15e3eaa06b08 9506 libactionpack-ruby_2.3.11-0.1_all.deb 8db7f539c1bb92e8bed88e77376c3aab4cf7de14aa65bfaa9f707eed5510831b 324288 libactionpack-ruby1.8_2.3.11-0.1_all.deb 22014f45859c41ed25220fbf07ab7b9ea72ec926f01cdf76094e1481f8adaa18 9478 libactionmailer-ruby_2.3.11-0.1_all.deb 40c1c95d601c932f7f37994df55d520a5d4e45e88de2c4f76bc2de748f4d826e 32048 libactionmailer-ruby1.8_2.3.11-0.1_all.deb ccd7f4bba6d613232060471b21efc5d9af5de4795cd48bd4c9ed8a5ebb2ed024 9470 libactiveresource-ruby_2.3.11-0.1_all.deb 591c35bdc7a850fde0e003e132393b6c978310915a23fd066fde4352934c75fb 37596 libactiveresource-ruby1.8_2.3.11-0.1_all.deb Files: 42e6ecd03d3ed6dcb802b5d87ed61da0 2043 ruby optional rails_2.3.11-0.1.dsc 79bed7ebcd02868f98c5a99270d14992 3416081 ruby optional rails_2.3.11.orig.tar.gz c30454030243ba3249c90943b094d42f 17444 ruby optional rails_2.3.11-0.1.debian.tar.gz 589fc0ea9a825cdd835f961678bcaec1 11974 ruby optional rails_2.3.11-0.1_all.deb 2db5b51c903b3682f6b326f119b7b79e 222784 ruby optional rails-ruby1.8_2.3.11-0.1_all.deb 26493e07928e73ad1962be368c10e8da 922666 doc optional rails-doc_2.3.11-0.1_all.deb 1c04d0420c40aefdf223bbb9ed933165 9444 ruby optional libactiverecord-ruby_2.3.11-0.1_all.deb 49eae57c302a06975fc1c17a4846ef49 268580 ruby optional libactiverecord-ruby1.8_2.3.11-0.1_all.deb 5e96ac50e93cd4d4ab48485d95533b91 269118 ruby optional libactiverecord-ruby1.9.1_2.3.11-0.1_all.deb 5775b99d629a826643a157e990be0296 9382 ruby optional libactivesupport-ruby_2.3.11-0.1_all.deb 2fc62af1c54c2be42d4d7972b4c7535c 255620 ruby optional libactivesupport-ruby1.8_2.3.11-0.1_all.deb 8194424532b69291558664fa87302da5 255592 ruby optional libactivesupport-ruby1.9.1_2.3.11-0.1_all.deb 2c94d1c4dbd86de383948875dc2da6ec 9506 ruby optional libactionpack-ruby_2.3.11-0.1_all.deb 480693e61c22a5ab7472a5889d14220c 324288 ruby optional libactionpack-ruby1.8_2.3.11-0.1_all.deb 17432f11e67b7be5902267745771bb91 9478 ruby optional libactionmailer-ruby_2.3.11-0.1_all.deb a1aacb3e63740a239a55f0cfdd4b144e 32048 ruby optional libactionmailer-ruby1.8_2.3.11-0.1_all.deb 91116ae46feecfaf132a375e15de4869 9470 ruby optional libactiveresource-ruby_2.3.11-0.1_all.deb 93c0169087cf7c1e08ad20f9ab46b0f9 37596 ruby optional libactiveresource-ruby1.8_2.3.11-0.1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk3jm2kACgkQ9OZqfMIN8nMeoQCgmDVjDSmSsmvx+0MB3j7T7wM5 tk4AoIN79NRzNAF0iT92DT3SgcKLo07o =yIfz -----END PGP SIGNATURE-----
Reply sent
to Ondřej Surý <ondrej@debian.org>:
You have taken responsibility.
(Wed, 01 Jun 2011 01:57:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Wed, 01 Jun 2011 01:57:04 GMT) (full text, mbox, link).
Message #35 received at 614864-close@bugs.debian.org (full text, mbox, reply):
Source: rails Source-Version: 2.3.5-1.2+squeeze0.1 We believe that the bug you reported is fixed in the latest version of rails, which is due to be installed in the Debian FTP archive: libactionmailer-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb to main/r/rails/libactionmailer-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb libactionmailer-ruby_2.3.5-1.2+squeeze0.1_all.deb to main/r/rails/libactionmailer-ruby_2.3.5-1.2+squeeze0.1_all.deb libactionpack-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb to main/r/rails/libactionpack-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb libactionpack-ruby_2.3.5-1.2+squeeze0.1_all.deb to main/r/rails/libactionpack-ruby_2.3.5-1.2+squeeze0.1_all.deb libactiverecord-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb to main/r/rails/libactiverecord-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb libactiverecord-ruby1.9.1_2.3.5-1.2+squeeze0.1_all.deb to main/r/rails/libactiverecord-ruby1.9.1_2.3.5-1.2+squeeze0.1_all.deb libactiverecord-ruby_2.3.5-1.2+squeeze0.1_all.deb to main/r/rails/libactiverecord-ruby_2.3.5-1.2+squeeze0.1_all.deb libactiveresource-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb to main/r/rails/libactiveresource-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb libactiveresource-ruby_2.3.5-1.2+squeeze0.1_all.deb to main/r/rails/libactiveresource-ruby_2.3.5-1.2+squeeze0.1_all.deb libactivesupport-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb to main/r/rails/libactivesupport-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb libactivesupport-ruby1.9.1_2.3.5-1.2+squeeze0.1_all.deb to main/r/rails/libactivesupport-ruby1.9.1_2.3.5-1.2+squeeze0.1_all.deb libactivesupport-ruby_2.3.5-1.2+squeeze0.1_all.deb to main/r/rails/libactivesupport-ruby_2.3.5-1.2+squeeze0.1_all.deb rails-doc_2.3.5-1.2+squeeze0.1_all.deb to main/r/rails/rails-doc_2.3.5-1.2+squeeze0.1_all.deb rails-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb to main/r/rails/rails-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb rails_2.3.5-1.2+squeeze0.1.debian.tar.gz to main/r/rails/rails_2.3.5-1.2+squeeze0.1.debian.tar.gz rails_2.3.5-1.2+squeeze0.1.dsc to main/r/rails/rails_2.3.5-1.2+squeeze0.1.dsc rails_2.3.5-1.2+squeeze0.1_all.deb to main/r/rails/rails_2.3.5-1.2+squeeze0.1_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 614864@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ondřej Surý <ondrej@debian.org> (supplier of updated rails package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Mon, 30 May 2011 09:43:10 +0200 Source: rails Binary: rails rails-ruby1.8 rails-doc libactiverecord-ruby libactiverecord-ruby1.8 libactiverecord-ruby1.9.1 libactivesupport-ruby libactivesupport-ruby1.8 libactivesupport-ruby1.9.1 libactionpack-ruby libactionpack-ruby1.8 libactionmailer-ruby libactionmailer-ruby1.8 libactiveresource-ruby libactiveresource-ruby1.8 Architecture: source all Version: 2.3.5-1.2+squeeze0.1 Distribution: stable-security Urgency: low Maintainer: Adam Majer <adamm@zombino.com> Changed-By: Ondřej Surý <ondrej@debian.org> Description: libactionmailer-ruby - Framework for generation of customized email messages libactionmailer-ruby1.8 - Framework for generation of customized email messages libactionpack-ruby - Controller and View framework used by Rails libactionpack-ruby1.8 - Controller and View framework used by Rails libactiverecord-ruby - ORM database interface for ruby libactiverecord-ruby1.8 - ORM database interface for ruby libactiverecord-ruby1.9.1 - ORM database interface for ruby libactiveresource-ruby - Connects objects and REST web services libactiveresource-ruby1.8 - Connects objects and REST web services libactivesupport-ruby - utility classes and extensions (Ruby 1.8) libactivesupport-ruby1.8 - utility classes and extensions (Ruby 1.8) libactivesupport-ruby1.9.1 - utility classes and extensions (Ruby 1.8) rails - MVC ruby based framework geared for web application development rails-doc - Documentation for rails, a MVC ruby based framework rails-ruby1.8 - MVC ruby based framework geared for web application development Closes: 614864 Changes: rails (2.3.5-1.2+squeeze0.1) stable-security; urgency=low . * Non-maintainer upload. * Fix CVE-2011-0446: Be sure to javascript_escape the email address to prevent apostrophes inadvertently causing javascript errors. * Fix CVE-2011-0447: Change the CSRF whitelisting to only apply to get requests (Closes: #614864) Checksums-Sha1: d1b5dd4331881b8dd33bbfd5492841b5f168edea 1699 rails_2.3.5-1.2+squeeze0.1.dsc f8df515f5137e69cefbdb21af94410eb6a0fd4b4 3173705 rails_2.3.5.orig.tar.gz d32a873db75c32888731983a1b4afaef38b994b2 21992 rails_2.3.5-1.2+squeeze0.1.debian.tar.gz 2f9d30f93df62c14cd958fd1ff48bd68e1d4f5be 11878 rails_2.3.5-1.2+squeeze0.1_all.deb 733d54b60153b1e497ea6ac0acf92773e2c76415 222196 rails-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb 3729e581a27dabb1f9e76a3ec2d1e6e9ac57ea46 899126 rails-doc_2.3.5-1.2+squeeze0.1_all.deb bcafd9d20a27ee7cf12e5f9d738a9fe6df70c93b 9330 libactiverecord-ruby_2.3.5-1.2+squeeze0.1_all.deb f52d3133ab952dfb2ced0d1e1aca9a2e3484a90d 265992 libactiverecord-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb 941f870683358ad716222518651f4a44a44bdefb 265302 libactiverecord-ruby1.9.1_2.3.5-1.2+squeeze0.1_all.deb 3362b81979dadf1849b3671df2ebb01d5649fc4b 9266 libactivesupport-ruby_2.3.5-1.2+squeeze0.1_all.deb abe4b8ab8361a937cf06c40b6c98704f8a3b5457 253658 libactivesupport-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb d32bef7b972c2b35a456d7c9596bb79f69298551 253082 libactivesupport-ruby1.9.1_2.3.5-1.2+squeeze0.1_all.deb 1f0b73e4cd2a4e09b55a436698ae50a2e26b868b 9394 libactionpack-ruby_2.3.5-1.2+squeeze0.1_all.deb aad4fd9cec2451506e965070904a96cddc679556 320978 libactionpack-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb 415ce12fcddb3bb02c5f9dff262ec5b13243c877 9354 libactionmailer-ruby_2.3.5-1.2+squeeze0.1_all.deb f7a922b147ac5b653ffaa9460209175f2e47248f 31590 libactionmailer-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb 55d86927015cbc1a335513812be701f8110a6316 9356 libactiveresource-ruby_2.3.5-1.2+squeeze0.1_all.deb 2fc37eda971e886be8744e9e277243594d0592ba 36652 libactiveresource-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb Checksums-Sha256: af896c43c483f87a2a07f73238adab5947a107ae442779e53edfa538c389c3aa 1699 rails_2.3.5-1.2+squeeze0.1.dsc f07416a3655ef24316e6fb8bd57bf00f5b06b9d6191cec15be93d08238ed1313 3173705 rails_2.3.5.orig.tar.gz cb3efe5064fe8b6f6a2215debcb01fa6bae1355968330e6a67f9a1ac5f0ac990 21992 rails_2.3.5-1.2+squeeze0.1.debian.tar.gz deeaedc7c699a52f246e9a4c454b53495ce72006f0a44cb96614240a1720d711 11878 rails_2.3.5-1.2+squeeze0.1_all.deb 27b74e9455d91558526fcefc59da5b20a6410222afa817f5dea09a1ebcc1fc91 222196 rails-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb fc15660812c74ffd42fa73ffc2084ea39971d2a628072e363c6c99fb0602b5b8 899126 rails-doc_2.3.5-1.2+squeeze0.1_all.deb b666cd68aea827c71fb79cf66bdc5fcfe9abcbdad9fdc9205c369882a01d854c 9330 libactiverecord-ruby_2.3.5-1.2+squeeze0.1_all.deb 3b7455f6366b91db2ba22398b5a52abfc655295bac7b005f62dffe23da3e7f1f 265992 libactiverecord-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb 885c64b83752b9ec944578f52e7d0644e60783d36c5817b25fe9023328eae803 265302 libactiverecord-ruby1.9.1_2.3.5-1.2+squeeze0.1_all.deb 4b1a5c3651e73f2b867492fc30604310533c99bff9a7c3cf8f0675bedc040d2f 9266 libactivesupport-ruby_2.3.5-1.2+squeeze0.1_all.deb 42e33a40091bfa54e036fa8db85e8c0f7747d9b03da51f0388533327e80139c6 253658 libactivesupport-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb e74d48d2d2fa18e6304914df67bb4a169508ba1e34fe3689a966bbbba6379371 253082 libactivesupport-ruby1.9.1_2.3.5-1.2+squeeze0.1_all.deb 8e37177e4c27650507a4cdfe1ca6269cd867e89aa22d78a150d35368ece485cf 9394 libactionpack-ruby_2.3.5-1.2+squeeze0.1_all.deb c749c6cdd18b9ccf1de2b12ab1d97329baf23eb1c9c5053a09ed0d9f7b67bc8d 320978 libactionpack-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb 7557e8a5f33cb2b960d8530ad3f1f42031b906542a0f64e1fcf06fd382fb4e4c 9354 libactionmailer-ruby_2.3.5-1.2+squeeze0.1_all.deb d864038a37f40b4034abb1e84f040abeb34a1ec157c33b517e0a0224f67b9f3e 31590 libactionmailer-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb 9f81f676b5c6040d04afbd2907dfd24cc5d4950afa2add33c0b53d23d85914ca 9356 libactiveresource-ruby_2.3.5-1.2+squeeze0.1_all.deb 8030e46e687da641c0cc4712d2ea2f249420c922975f6d03356465d02c62a2cb 36652 libactiveresource-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb Files: dc22c789c5d2fdff7680b8c7cadcec0e 1699 ruby optional rails_2.3.5-1.2+squeeze0.1.dsc 8e28f9ba645d67dea57a33508d11a56c 3173705 ruby optional rails_2.3.5.orig.tar.gz 62a691c47f58dc05ef8444e981c63f8a 21992 ruby optional rails_2.3.5-1.2+squeeze0.1.debian.tar.gz f90e492aab13cf7f36a932c2ceac2ddb 11878 ruby optional rails_2.3.5-1.2+squeeze0.1_all.deb 731a5c320f05686df1f00e73bb40b7f6 222196 ruby optional rails-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb ac304dc9c8d5c96166f2f35d4813fdd5 899126 doc optional rails-doc_2.3.5-1.2+squeeze0.1_all.deb a4a1de01878d2019842f7147b6afa35f 9330 ruby optional libactiverecord-ruby_2.3.5-1.2+squeeze0.1_all.deb d9aace2a82b4719ebeb2901ad13bbe20 265992 ruby optional libactiverecord-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb 7a69c5a24b84a6b669fddc63f529f32a 265302 ruby optional libactiverecord-ruby1.9.1_2.3.5-1.2+squeeze0.1_all.deb f8cdfe71f52b6dd8bf86270757d84b2f 9266 ruby optional libactivesupport-ruby_2.3.5-1.2+squeeze0.1_all.deb 22e96bcc79d29737cd1bda70eff08112 253658 ruby optional libactivesupport-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb 3536bf36525fbcefff82acee55edc360 253082 ruby optional libactivesupport-ruby1.9.1_2.3.5-1.2+squeeze0.1_all.deb a9327d1f282e22799625036891b62652 9394 ruby optional libactionpack-ruby_2.3.5-1.2+squeeze0.1_all.deb 3045874729f28beb3053f94a13c4d156 320978 ruby optional libactionpack-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb 3509f8853a99f6c98194c0d20822809d 9354 ruby optional libactionmailer-ruby_2.3.5-1.2+squeeze0.1_all.deb b95e66c9a06d521bec448468a046879c 31590 ruby optional libactionmailer-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb 33d96875656429eadab857318cd9fa5b 9356 ruby optional libactiveresource-ruby_2.3.5-1.2+squeeze0.1_all.deb e1819cd6c3acf1b15cbdd9a0aa475a80 36652 ruby optional libactiveresource-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk3jh4QACgkQ9OZqfMIN8nOU+wCgqbC7j9wZ9TTsT7Zi/tZokHox poQAniHBSIzEW/ExfGZN/aV7PSXkmckY =qMdb -----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 05 Jul 2011 07:36:26 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.
Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.
Vulmon