Just in case you guys hadn't heard about it: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61b...
This is considered an urgent fix.
Dne 10.1.2013 16:14, Tejas Dinkar napsal(a):
Just in case you guys hadn't heard about it: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61b... https://groups.google.com/forum/?fromgroups=#%21topic/rubyonrails-security/61bkgvnSGTQ
This is considered an urgent fix.
Thank you for heads-up.
Rawhide was updated to Rails 3.2.11 yesterday and there are already updates for F18 [1] and F17 [2].
Unfortunately, there is one incompatibility introduced by these fixes, so I am not sure if I should push it into stable.
Working on F16 now but I am afraid I'm not going to make it today :/ But somebody will continue where I will end.
Vít
[1] https://admin.fedoraproject.org/updates/rubygem-actionpack-3.2.8-2.fc18,ruby... [2] https://admin.fedoraproject.org/updates/rubygem-actionpack-3.0.11-8.fc17,rub... [3] https://github.com/rails/rails/issues/8832
Dne 10.1.2013 16:29, Vít Ondruch napsal(a):
Dne 10.1.2013 16:14, Tejas Dinkar napsal(a):
Just in case you guys hadn't heard about it: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61b... https://groups.google.com/forum/?fromgroups=#%21topic/rubyonrails-security/61bkgvnSGTQ
This is considered an urgent fix.
Thank you for heads-up.
Rawhide was updated to Rails 3.2.11 yesterday and there are already updates for F18 [1] and F17 [2].
Unfortunately, there is one incompatibility
[3] ... forgot to reference it :)
introduced by these fixes, so I am not sure if I should push it into stable.
Working on F16 now but I am afraid I'm not going to make it today :/ But somebody will continue where I will end.
Vít
[1] https://admin.fedoraproject.org/updates/rubygem-actionpack-3.2.8-2.fc18,ruby... [2] https://admin.fedoraproject.org/updates/rubygem-actionpack-3.0.11-8.fc17,rub... [3] https://github.com/rails/rails/issues/8832 _______________________________________________ ruby-sig mailing list ruby-sig@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/ruby-sig
Just a heads-up: versions of rubygem-extlib < 0.9.16 are similarly vulnerable and, depending on loading order, might reopen the security hole in Rails applications since the patched Rails version of the Hash#from_xml method is replaced by extlibs version.
Regards, René van den Berg
On Thu, Jan 10, 2013 at 4:31 PM, Vít Ondruch vondruch@redhat.com wrote:
Dne 10.1.2013 16:29, Vít Ondruch napsal(a):
Dne 10.1.2013 16:14, Tejas Dinkar napsal(a):
Just in case you guys hadn't heard about it: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61b... https://groups.google.com/forum/?fromgroups=#%21topic/rubyonrails-security/61bkgvnSGTQ
This is considered an urgent fix.
Thank you for heads-up.
Rawhide was updated to Rails 3.2.11 yesterday and there are already updates for F18 [1] and F17 [2].
Unfortunately, there is one incompatibility
[3] ... forgot to reference it :)
introduced by these fixes, so I am not sure if I should push it into stable.
Working on F16 now but I am afraid I'm not going to make it today :/ But somebody will continue where I will end.
Vít
[1] https://admin.fedoraproject.org/updates/rubygem-actionpack-3.2.8-2.fc18,ruby... [2] https://admin.fedoraproject.org/updates/rubygem-actionpack-3.0.11-8.fc17,rub... [3] https://github.com/rails/rails/issues/8832 _______________________________________________ ruby-sig mailing list ruby-sig@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/ruby-sig
ruby-sig mailing list ruby-sig@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/ruby-sig
ruby-sig@lists.fedoraproject.org
-
René van den Berg -
Tejas Dinkar -
Vít Ondruch