Just a heads-up: versions of rubygem-extlib < 0.9.16 are similarly
vulnerable and, depending on loading order, might reopen the security
hole in Rails applications since the patched Rails version of the
Hash#from_xml method is replaced by extlibs version.
Regards,
René van den Berg
On Thu, Jan 10, 2013 at 4:31 PM, Vít Ondruch <vondruch(a)redhat.com> wrote:
Dne 10.1.2013 16:29, Vít Ondruch napsal(a):
> Dne 10.1.2013 16:14, Tejas Dinkar napsal(a):
>>
>> Just in case you guys hadn't heard about it:
>>
https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/...
>>
<
https://groups.google.com/forum/?fromgroups=#%21topic/rubyonrails-securit...
>>
>> This is considered an urgent fix.
>>
>>
>
> Thank you for heads-up.
>
> Rawhide was updated to Rails 3.2.11 yesterday and there are already
> updates for F18 [1] and F17 [2].
>
> Unfortunately, there is one incompatibility
[3] ... forgot to reference it :)
> introduced by these fixes, so I am not sure if I should push it into
> stable.
>
> Working on F16 now but I am afraid I'm not going to make it today :/ But
> somebody will continue where I will end.
>
>
>
> Vít
>
>
>
> [1]
>
https://admin.fedoraproject.org/updates/rubygem-actionpack-3.2.8-2.fc18,r...
> [2]
>
https://admin.fedoraproject.org/updates/rubygem-actionpack-3.0.11-8.fc17,...
> [3]
https://github.com/rails/rails/issues/8832
> _______________________________________________
> ruby-sig mailing list
> ruby-sig(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/ruby-sig
_______________________________________________
ruby-sig mailing list
ruby-sig(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/ruby-sig