all versions of rails are vunerable to CVE-2009-3009
Bug #425988 reported by
Łukasz Stelmach
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
rails (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Dapper |
Won't Fix
|
Medium
|
Unassigned | ||
Hardy |
Won't Fix
|
Medium
|
Unassigned | ||
Intrepid |
Invalid
|
Medium
|
Unassigned | ||
Jaunty |
Won't Fix
|
Medium
|
Unassigned |
Bug Description
Binary package hint: rails
A very serious rails vulnerability CVE-2009-3009 has been disclosed four days ago. Unpatched rails does not prevent XSS crafted with invalid UTF-8 chars. See details at [1] and [2].
[1]http://
[2]http://
visibility: | private → public |
Changed in rails (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Changed in rails (Ubuntu Dapper): | |
status: | Confirmed → Won't Fix |
Changed in rails (Ubuntu Hardy): | |
status: | Confirmed → Won't Fix |
To post a comment you must log in.
Fixed in Karmic:
rails (2.2.3-1) unstable; urgency=high
.
* New upstream release (closes: #545063)
+ Fixes XSS security hole [CVE-2009-3009]
+ Fixes timing issue with cookie store [CVE-2009-3086]
* Remove dependency on ruby-dbi, as it is not required by any of the
sources.
* Correct dependency on fixed libxml-simple-ruby to 1.0.11-2 or later
(closes: #538982)
* debian/control
+ Change section from web to ruby
+ Updated to debhelper 7.0+
+ Standards updated to 3.8.3 - no changes