The recent rails vulnerability

[René van den Berg]

Just a heads-up: versions of rubygem-extlib < 0.9.16 are similarly
vulnerable and, depending on loading order, might reopen the security
hole in Rails applications since the patched Rails version of the
Hash#from_xml method is replaced by extlibs version.

Regards,
René van den Berg

On Thu, Jan 10, 2013 at 4:31 PM, Vít Ondruch <vondruch at redhat.com> wrote:
> Dne 10.1.2013 16:29, Vít Ondruch napsal(a):
>
>> Dne 10.1.2013 16:14, Tejas Dinkar napsal(a):
>>>
>>> Just in case you guys hadn't heard about it:
>>> https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ
>>> <https://groups.google.com/forum/?fromgroups=#%21topic/rubyonrails-security/61bkgvnSGTQ>
>>>
>>> This is considered an urgent fix.
>>>
>>>
>>
>> Thank you for heads-up.
>>
>> Rawhide was updated to Rails 3.2.11 yesterday and there are already
>> updates for F18 [1] and F17 [2].
>>
>> Unfortunately, there is one incompatibility
>
>
> [3] ... forgot to reference it :)
>
>
>> introduced by these fixes, so I am not sure if I should push it into
>> stable.
>>
>> Working on F16 now but I am afraid I'm not going to make it today :/ But
>> somebody will continue where I will end.
>>
>>
>>
>> Vít
>>
>>
>>
>> [1]
>> https://admin.fedoraproject.org/updates/rubygem-actionpack-3.2.8-2.fc18,rubygem-activerecord-3.2.8-3.fc18,rubygem-activesupport-3.2.8-2.fc18
>> [2]
>> https://admin.fedoraproject.org/updates/rubygem-actionpack-3.0.11-8.fc17,rubygem-activerecord-3.0.11-5.fc17,rubygem-activemodel-3.0.11-2.fc17,rubygem-activesupport-3.0.11-7.fc17
>> [3] https://github.com/rails/rails/issues/8832
>> _______________________________________________
>> ruby-sig mailing list
>> ruby-sig at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/ruby-sig
>
>
> _______________________________________________
> ruby-sig mailing list
> ruby-sig at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/ruby-sig