Please sync rails 1.2.4-1 (universe) from Debian unstable (main)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
rails (Ubuntu) |
Fix Released
|
Wishlist
|
Unassigned |
Bug Description
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
affects ubuntu/rails
status confirmed
subscribe ubuntu-archive
Please sync rails 1.2.4-1 (universe) from Debian unstable (main).
Explanation of the Ubuntu delta and why it can be dropped:
libmocha-ruby1.8 dependency can be readded; we have it in Hardy.
Changelog since current hardy version 1.2.4-1ubuntu1:
rails (1.2.5-1) unstable; urgency=high
* This is a new upstream release that addresses problems not
corrected in 1.2.4 or regressions.
+ to_json XSS [CVE-2007-3227] is really closed now
+ Potential Information Disclosure or DoS with Hash#from_xml
[
+ Session Fixation attacks. [CVE-2007-5380] URL based sessions are
now disabled by default. Session ids are only accepted from
cookies by default now.
[Micah Anderson]
* Urgency set to high due to security issues addressed
-- Adam Majer <email address hidden> Sun, 14 Oct 2007 21:12:34 -0500
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHPVr3Ac+
XTzjYRdaibo+
=kNma
-----END PGP SIGNATURE-----
[Updating] rails (1.2.4-1ubuntu1 [Ubuntu] < 1.2.5-1 [Debian]) 1.2.5.orig. tar.gz: downloading from http:// ftp.debian. org/debian/> 1.2.5-1. diff.gz: downloading from http:// ftp.debian. org/debian/> ftp.debian. org/debian/> 2.4-1ubuntu1 [universe].
* Trying to add rails...
- <rails_
- <rails_
- <rails_1.2.5-1.dsc: downloading from http://
I: rails [universe] -> rails_1.