Debian Bug report logs - #614864
CVE-2011-0446 and CVE-2011-0447

version graph

Package: rails; Maintainer for rails is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>; Source for rails is src:rails.

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Wed, 23 Feb 2011 21:45:01 UTC

Severity: grave

Tags: security

Fixed in versions rails/2.3.11-0.1, rails/2.3.5-1.2+squeeze0.1

Done: Ondřej Surý <ondrej@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Adam Majer <adamm@zombino.com>:
Bug#614864; Package rails. (Wed, 23 Feb 2011 21:45:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Adam Majer <adamm@zombino.com>. (Wed, 23 Feb 2011 21:45:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2011-0446 and CVE-2011-0447
Date: Wed, 23 Feb 2011 22:40:59 +0100
Package: rails
Severity: grave
Tags: security

Please see
http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4

Cheers,
        Moritz

-- System Information:
Debian Release: 6.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.37-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash




Information forwarded to debian-bugs-dist@lists.debian.org, Adam Majer <adamm@zombino.com>:
Bug#614864; Package rails. (Fri, 04 Mar 2011 15:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to micah anderson <micah@riseup.net>:
Extra info received and forwarded to list. Copy sent to Adam Majer <adamm@zombino.com>. (Fri, 04 Mar 2011 15:57:03 GMT) Full text and rfc822 format available.

Message #10 received at 614864@bugs.debian.org (full text, mbox):

From: micah anderson <micah@riseup.net>
To: 614864@bugs.debian.org
Subject: patch
Date: Fri, 04 Mar 2011 10:53:18 -0500
Hi, 

I decided to help a little bit moving these issues forward. I did what I
could, but now the more experienced debian rails people need to act. In
particular, there is a decision that needs to be made for CVE-2011-0446,
and a review of the fix I did for CVE-2011-0447. I am happy to help
facilitate in any other way, but I need others who have more experience
to weigh in on those.

Both of these CVEs affect all versions of rails, including those in
oldstable.

CVE-2011-0446
-------------

Patch for rails 2.3 to fix CVE-2011-0446 is here:

http://rubyonrails-security.googlegroups.com/attach/365b8a23b76a6b4a/2-3-mailto.patch?part=3

The upstream commit id is: abe97736b8316f1b714cac56c115c0779aa73217

Looking through the commit log for the above fix, it was done to rails
2.3.11, which has had three other commits that touched
actionpack/lib/action_view/helpers/url_helper.rb, the largest one is
9ca6df83f606a0fb8be3815328111d0cdaa7c65b which backports html_safe and
the latest rails_xss plugin. This change seems to be a pre-requisite for
the security fix, the sad thing is that it is a big change.

I did not do anything with CVE-2011-0446 as it was intrusive, hopefully
others who have experience with this package can weigh in on the best
way forwards with this one. Once this is resolved a security release
could happen.


CVE-2011-0447
-------------

The patch for rails 2.1 to fix CVE-2011-0447 is here:

http://rubyonrails-security.googlegroups.com/attach/c22ea1668c0d181c/2-1-csrf.patch?part=3

I was able to cherry-pick this commit
(d622353dd399908770473d417ecef028524b8c8b) from upstream's git repo into
the debian debian-lenny branch without any conflicts. I went ahead and
did that and have committed it, along with a changelog entry and a NEWS
entry that comes straight from the mailing list.

It is my opinion that the fix for lenny in 2.1 is done. Please someone
who has more skills in rails review this to make sure it is good, and
then I think it can be uploaded after contacting the security team.


The patch for rails 2.3 to fix CVE-2011-0447 is here:

http://rubyonrails-security.googlegroups.com/attach/c22ea1668c0d181c/2-3-csrf.patch?part=5

I was able to cherry-pick this commit
(9998f79b9cf9c60b07baf4c23a02178034e06d85) from upstream's git repo into
the debian v2.3-stable branch without any conflicts. I also went ahead
and committed this change, along with a changelog entry and a NEWS entry
that came from the mailing list, identical to the debian-lenny 2.1 one
above. 

Once CVE-2011-0446 has been resolved for 2.3, then this can be uploaded.

A few notes:

1. I noticed that the upload that made it into squeeze was never tagged
as debian/2.3.5-1.2, so I went ahead and did that.

2. I wasn't sure what the difference between the branch 'debian-lenny'
and v2.1-stable were. The 'debian-lenny' one seemed to have the most
recent security fixes, and had a debian directory, so I went with that
one.

3. v2.3-stable seemed to be the place for squeeze fixes, which differs
from the nomenclature used in #2, perhaps that fix should be in a
debian-squeeze branch? If so, then please change it, and clarify #2 for
v2.3-stable too.


Micah




Information forwarded to debian-bugs-dist@lists.debian.org, Adam Majer <adamm@zombino.com>:
Bug#614864; Package rails. (Thu, 17 Mar 2011 18:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to micah anderson <micah@riseup.net>:
Extra info received and forwarded to list. Copy sent to Adam Majer <adamm@zombino.com>. (Thu, 17 Mar 2011 18:18:03 GMT) Full text and rfc822 format available.

Message #15 received at 614864@bugs.debian.org (full text, mbox):

From: micah anderson <micah@riseup.net>
To: 614864@bugs.debian.org
Subject: ping?
Date: Thu, 17 Mar 2011 14:15:02 -0400
[Message part 1 (text/plain, inline)]
Hi folks,

This security issue really needs to be dealt with, I'm concerned that we
are getting close to one month from when the bug was first reported to
the BTS, we are already over one month from when the bug was reported
upstream.

I'm looking for any feedback on the work I did...

micah

-- 

[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#614864; Package rails. (Mon, 21 Mar 2011 07:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Adam Majer <adamm@zombino.com>:
Extra info received and forwarded to list. (Mon, 21 Mar 2011 07:15:03 GMT) Full text and rfc822 format available.

Message #20 received at 614864@bugs.debian.org (full text, mbox):

From: Adam Majer <adamm@zombino.com>
To: micah anderson <micah@riseup.net>, 614864@bugs.debian.org
Subject: Re: Bug#614864: ping?
Date: Mon, 21 Mar 2011 01:56:34 -0500
On Thu, Mar 17, 2011 at 02:15:02PM -0400, micah anderson wrote:
> 
> Hi folks,
> 
> This security issue really needs to be dealt with, I'm concerned that we
> are getting close to one month from when the bug was first reported to
> the BTS, we are already over one month from when the bug was reported
> upstream.
> 
> I'm looking for any feedback on the work I did...

Your work is fine. I'll get this done tomorrow. I'm having a little
bit of a problem with unit tests for actionpack though. I know they
*used to* work in not so recent past.

- Adam


-- 
Adam Majer
adamm@zombino.com




Information forwarded to debian-bugs-dist@lists.debian.org, Adam Majer <adamm@zombino.com>:
Bug#614864; Package rails. (Fri, 27 May 2011 10:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ondřej Surý <ondrej@sury.org>:
Extra info received and forwarded to list. Copy sent to Adam Majer <adamm@zombino.com>. (Fri, 27 May 2011 10:21:08 GMT) Full text and rfc822 format available.

Message #25 received at 614864@bugs.debian.org (full text, mbox):

From: Ondřej Surý <ondrej@sury.org>
To: adamm@zombino.com, 614864@bugs.debian.org, Micah Anderson <micah@riseup.net>
Subject: Debian Rails package (Debian QA)
Date: Fri, 27 May 2011 12:17:33 +0200
Hi Adam,

since you're last upload of rails happened more than year ago and
there are 3 RC bugs open right now (including two CVEs), my question
is if you still have a resources to properly take care of rails. Maybe
it's time to find co-maintainers?

Anyway if I don't hear from you, I am going to NMU (2-day DELAY) the
package based on the work in the git repository this week.

Ccing Micah who did the last CVE fixes in the repository.

O.
-- 
Ondřej Surý <ondrej@sury.org>




Reply sent to Ondřej Surý <ondrej@debian.org>:
You have taken responsibility. (Mon, 30 May 2011 13:51:12 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Mon, 30 May 2011 13:51:12 GMT) Full text and rfc822 format available.

Message #30 received at 614864-close@bugs.debian.org (full text, mbox):

From: Ondřej Surý <ondrej@debian.org>
To: 614864-close@bugs.debian.org
Subject: Bug#614864: fixed in rails 2.3.11-0.1
Date: Mon, 30 May 2011 13:47:37 +0000
Source: rails
Source-Version: 2.3.11-0.1

We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive:

libactionmailer-ruby1.8_2.3.11-0.1_all.deb
  to main/r/rails/libactionmailer-ruby1.8_2.3.11-0.1_all.deb
libactionmailer-ruby_2.3.11-0.1_all.deb
  to main/r/rails/libactionmailer-ruby_2.3.11-0.1_all.deb
libactionpack-ruby1.8_2.3.11-0.1_all.deb
  to main/r/rails/libactionpack-ruby1.8_2.3.11-0.1_all.deb
libactionpack-ruby_2.3.11-0.1_all.deb
  to main/r/rails/libactionpack-ruby_2.3.11-0.1_all.deb
libactiverecord-ruby1.8_2.3.11-0.1_all.deb
  to main/r/rails/libactiverecord-ruby1.8_2.3.11-0.1_all.deb
libactiverecord-ruby1.9.1_2.3.11-0.1_all.deb
  to main/r/rails/libactiverecord-ruby1.9.1_2.3.11-0.1_all.deb
libactiverecord-ruby_2.3.11-0.1_all.deb
  to main/r/rails/libactiverecord-ruby_2.3.11-0.1_all.deb
libactiveresource-ruby1.8_2.3.11-0.1_all.deb
  to main/r/rails/libactiveresource-ruby1.8_2.3.11-0.1_all.deb
libactiveresource-ruby_2.3.11-0.1_all.deb
  to main/r/rails/libactiveresource-ruby_2.3.11-0.1_all.deb
libactivesupport-ruby1.8_2.3.11-0.1_all.deb
  to main/r/rails/libactivesupport-ruby1.8_2.3.11-0.1_all.deb
libactivesupport-ruby1.9.1_2.3.11-0.1_all.deb
  to main/r/rails/libactivesupport-ruby1.9.1_2.3.11-0.1_all.deb
libactivesupport-ruby_2.3.11-0.1_all.deb
  to main/r/rails/libactivesupport-ruby_2.3.11-0.1_all.deb
rails-doc_2.3.11-0.1_all.deb
  to main/r/rails/rails-doc_2.3.11-0.1_all.deb
rails-ruby1.8_2.3.11-0.1_all.deb
  to main/r/rails/rails-ruby1.8_2.3.11-0.1_all.deb
rails_2.3.11-0.1.debian.tar.gz
  to main/r/rails/rails_2.3.11-0.1.debian.tar.gz
rails_2.3.11-0.1.dsc
  to main/r/rails/rails_2.3.11-0.1.dsc
rails_2.3.11-0.1_all.deb
  to main/r/rails/rails_2.3.11-0.1_all.deb
rails_2.3.11.orig.tar.gz
  to main/r/rails/rails_2.3.11.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 614864@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated rails package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 30 May 2011 14:58:12 +0200
Source: rails
Binary: rails rails-ruby1.8 rails-doc libactiverecord-ruby libactiverecord-ruby1.8 libactiverecord-ruby1.9.1 libactivesupport-ruby libactivesupport-ruby1.8 libactivesupport-ruby1.9.1 libactionpack-ruby libactionpack-ruby1.8 libactionmailer-ruby libactionmailer-ruby1.8 libactiveresource-ruby libactiveresource-ruby1.8
Architecture: source all
Version: 2.3.11-0.1
Distribution: unstable
Urgency: medium
Maintainer: Adam Majer <adamm@zombino.com>
Changed-By: Ondřej Surý <ondrej@debian.org>
Description: 
 libactionmailer-ruby - Framework for generation of customized email messages
 libactionmailer-ruby1.8 - Framework for generation of customized email messages
 libactionpack-ruby - Controller and View framework used by Rails
 libactionpack-ruby1.8 - Controller and View framework used by Rails
 libactiverecord-ruby - ORM database interface for ruby
 libactiverecord-ruby1.8 - ORM database interface for ruby
 libactiverecord-ruby1.9.1 - ORM database interface for ruby
 libactiveresource-ruby - Connects objects and REST web services
 libactiveresource-ruby1.8 - Connects objects and REST web services
 libactivesupport-ruby - utility classes and extensions (Ruby 1.8)
 libactivesupport-ruby1.8 - utility classes and extensions (Ruby 1.8)
 libactivesupport-ruby1.9.1 - utility classes and extensions (Ruby 1.8)
 rails      - MVC ruby based framework geared for web application development
 rails-doc  - Documentation for rails, a MVC ruby based framework
 rails-ruby1.8 - MVC ruby based framework geared for web application development
Closes: 546037 587767 614864 616456 618221 622829
Changes: 
 rails (2.3.11-0.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Imported Upstream version 2.3.11 (Closes: #616456)
     + Works with rubygems 1.6.x (Closes: #622829, #618221)
     + Fix XSS Risk in mail_to :encode=>:javascript [CVE-2011-0446]
     + Fix CSRF Bypass Risk: [CVE-2011-0447] (Closes: #614864)
     + I18N interpolation deprecation was removed in v2.3.6 (Closes: #546037)
   * Update dependencies on tmail (>= 1.2.7) and i18n (>= 0.4.1)
   * Adapt patches to the new release
   * Add Breaks: redmine (<< 1.1.3-1)
   * Add rubygems{1.8,1.9.1} dependency to all packages (Closes: #587767)
Checksums-Sha1: 
 969c40ea783af414e2d8cd7f5c04a6019a5f93fa 2043 rails_2.3.11-0.1.dsc
 3aad70662499a7dac943b1d8c8e0cabedd98fea4 3416081 rails_2.3.11.orig.tar.gz
 f7a1c66835494a93a9fcdb29ecc8dc9ef3d17707 17444 rails_2.3.11-0.1.debian.tar.gz
 2afd78ee91bf3c8b3ec47871ae4605b624edc933 11974 rails_2.3.11-0.1_all.deb
 295ffb97b207cd465c0f8fb326c3e8b61972e8f7 222784 rails-ruby1.8_2.3.11-0.1_all.deb
 d71192967048e7b268d8d3449d13c0474db65854 922666 rails-doc_2.3.11-0.1_all.deb
 008cef6c9861b95148bf530289e49647231396c9 9444 libactiverecord-ruby_2.3.11-0.1_all.deb
 56398b9d9dc1e3a7a63d34ec1eed0158d08afe9c 268580 libactiverecord-ruby1.8_2.3.11-0.1_all.deb
 49dd4dc5897012609cd69fb1e9d07812212a23be 269118 libactiverecord-ruby1.9.1_2.3.11-0.1_all.deb
 34038c63c16df34f57f042e566f4619e5814635d 9382 libactivesupport-ruby_2.3.11-0.1_all.deb
 ac412032c595a110d6e724f4974d6628b377fbf6 255620 libactivesupport-ruby1.8_2.3.11-0.1_all.deb
 928c78faf5c4055e409ae7c23b8473eca594e881 255592 libactivesupport-ruby1.9.1_2.3.11-0.1_all.deb
 72776e036be389356d4c122bcc6281845a727a80 9506 libactionpack-ruby_2.3.11-0.1_all.deb
 93333b56e771afe54275cf5e6e18ae8c7d06af67 324288 libactionpack-ruby1.8_2.3.11-0.1_all.deb
 8cf18c973a9be2ce565846270769e4d7dcc8171b 9478 libactionmailer-ruby_2.3.11-0.1_all.deb
 0fc07cb888d0fd8642b2e14fbc4692dc48d9d880 32048 libactionmailer-ruby1.8_2.3.11-0.1_all.deb
 5c8d7dc10f30194b781e741ad66c242eb0f904a3 9470 libactiveresource-ruby_2.3.11-0.1_all.deb
 f25a83bf0971e77e688b1835549d191a64229875 37596 libactiveresource-ruby1.8_2.3.11-0.1_all.deb
Checksums-Sha256: 
 4f14ec824ef1e4dcb1ac3f431b83c08f429b030a6062dba6962893df13376086 2043 rails_2.3.11-0.1.dsc
 60842a97e8a6ac03b60ed54f2c12f1b0991ede61c131074ef81edf14a70170ff 3416081 rails_2.3.11.orig.tar.gz
 d0848b2ca5ce2c700158e0b4ec84e190dd2b8998b71c2945ae80f329a7f96d09 17444 rails_2.3.11-0.1.debian.tar.gz
 7c45d8c8c757d4ed58818ad47cb28d9b127b7592e8cdee853c9a2fbda21cec8a 11974 rails_2.3.11-0.1_all.deb
 712f85bb65097aec41dd353dd5bc55971f17ce90f4d98c46ba10af7a5a43e449 222784 rails-ruby1.8_2.3.11-0.1_all.deb
 f970e8c159f8f1bd4aa932e1e210a3f221a67dbc5c1a54a438dd561eeed0c439 922666 rails-doc_2.3.11-0.1_all.deb
 1b7cf2c97cd50269ebc9302689ecd72652fddc5c5d40307a4416932340111e5a 9444 libactiverecord-ruby_2.3.11-0.1_all.deb
 96e7290dc0c16906ae0f4b048e22b4cd194bc3c2a3938b9c3ecf0dbb85c33b24 268580 libactiverecord-ruby1.8_2.3.11-0.1_all.deb
 6cc7bd029b8d2809fcecd5dcddb818b9d71306df9f917c572eff9f0433610b6c 269118 libactiverecord-ruby1.9.1_2.3.11-0.1_all.deb
 f42507d6ae29fc2bb123aa7097f5297e9ad0c3d39a67b83cc453738cbb76d139 9382 libactivesupport-ruby_2.3.11-0.1_all.deb
 3eff06cec0b36a3f2b27df8e8118649ef7e5fe994d050492be037c7d42463528 255620 libactivesupport-ruby1.8_2.3.11-0.1_all.deb
 7fef0ba541a1da37be8b4c018c69387e78e206eec27f278165f79b38cb13e23a 255592 libactivesupport-ruby1.9.1_2.3.11-0.1_all.deb
 47779f11a48e2e0a187fdecdc1b7ef22f3bfdfa0c0c1dee1687a15e3eaa06b08 9506 libactionpack-ruby_2.3.11-0.1_all.deb
 8db7f539c1bb92e8bed88e77376c3aab4cf7de14aa65bfaa9f707eed5510831b 324288 libactionpack-ruby1.8_2.3.11-0.1_all.deb
 22014f45859c41ed25220fbf07ab7b9ea72ec926f01cdf76094e1481f8adaa18 9478 libactionmailer-ruby_2.3.11-0.1_all.deb
 40c1c95d601c932f7f37994df55d520a5d4e45e88de2c4f76bc2de748f4d826e 32048 libactionmailer-ruby1.8_2.3.11-0.1_all.deb
 ccd7f4bba6d613232060471b21efc5d9af5de4795cd48bd4c9ed8a5ebb2ed024 9470 libactiveresource-ruby_2.3.11-0.1_all.deb
 591c35bdc7a850fde0e003e132393b6c978310915a23fd066fde4352934c75fb 37596 libactiveresource-ruby1.8_2.3.11-0.1_all.deb
Files: 
 42e6ecd03d3ed6dcb802b5d87ed61da0 2043 ruby optional rails_2.3.11-0.1.dsc
 79bed7ebcd02868f98c5a99270d14992 3416081 ruby optional rails_2.3.11.orig.tar.gz
 c30454030243ba3249c90943b094d42f 17444 ruby optional rails_2.3.11-0.1.debian.tar.gz
 589fc0ea9a825cdd835f961678bcaec1 11974 ruby optional rails_2.3.11-0.1_all.deb
 2db5b51c903b3682f6b326f119b7b79e 222784 ruby optional rails-ruby1.8_2.3.11-0.1_all.deb
 26493e07928e73ad1962be368c10e8da 922666 doc optional rails-doc_2.3.11-0.1_all.deb
 1c04d0420c40aefdf223bbb9ed933165 9444 ruby optional libactiverecord-ruby_2.3.11-0.1_all.deb
 49eae57c302a06975fc1c17a4846ef49 268580 ruby optional libactiverecord-ruby1.8_2.3.11-0.1_all.deb
 5e96ac50e93cd4d4ab48485d95533b91 269118 ruby optional libactiverecord-ruby1.9.1_2.3.11-0.1_all.deb
 5775b99d629a826643a157e990be0296 9382 ruby optional libactivesupport-ruby_2.3.11-0.1_all.deb
 2fc62af1c54c2be42d4d7972b4c7535c 255620 ruby optional libactivesupport-ruby1.8_2.3.11-0.1_all.deb
 8194424532b69291558664fa87302da5 255592 ruby optional libactivesupport-ruby1.9.1_2.3.11-0.1_all.deb
 2c94d1c4dbd86de383948875dc2da6ec 9506 ruby optional libactionpack-ruby_2.3.11-0.1_all.deb
 480693e61c22a5ab7472a5889d14220c 324288 ruby optional libactionpack-ruby1.8_2.3.11-0.1_all.deb
 17432f11e67b7be5902267745771bb91 9478 ruby optional libactionmailer-ruby_2.3.11-0.1_all.deb
 a1aacb3e63740a239a55f0cfdd4b144e 32048 ruby optional libactionmailer-ruby1.8_2.3.11-0.1_all.deb
 91116ae46feecfaf132a375e15de4869 9470 ruby optional libactiveresource-ruby_2.3.11-0.1_all.deb
 93c0169087cf7c1e08ad20f9ab46b0f9 37596 ruby optional libactiveresource-ruby1.8_2.3.11-0.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk3jm2kACgkQ9OZqfMIN8nMeoQCgmDVjDSmSsmvx+0MB3j7T7wM5
tk4AoIN79NRzNAF0iT92DT3SgcKLo07o
=yIfz
-----END PGP SIGNATURE-----





Reply sent to Ondřej Surý <ondrej@debian.org>:
You have taken responsibility. (Wed, 01 Jun 2011 01:57:03 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Wed, 01 Jun 2011 01:57:04 GMT) Full text and rfc822 format available.

Message #35 received at 614864-close@bugs.debian.org (full text, mbox):

From: Ondřej Surý <ondrej@debian.org>
To: 614864-close@bugs.debian.org
Subject: Bug#614864: fixed in rails 2.3.5-1.2+squeeze0.1
Date: Wed, 01 Jun 2011 01:54:03 +0000
Source: rails
Source-Version: 2.3.5-1.2+squeeze0.1

We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive:

libactionmailer-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb
  to main/r/rails/libactionmailer-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb
libactionmailer-ruby_2.3.5-1.2+squeeze0.1_all.deb
  to main/r/rails/libactionmailer-ruby_2.3.5-1.2+squeeze0.1_all.deb
libactionpack-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb
  to main/r/rails/libactionpack-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb
libactionpack-ruby_2.3.5-1.2+squeeze0.1_all.deb
  to main/r/rails/libactionpack-ruby_2.3.5-1.2+squeeze0.1_all.deb
libactiverecord-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb
  to main/r/rails/libactiverecord-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb
libactiverecord-ruby1.9.1_2.3.5-1.2+squeeze0.1_all.deb
  to main/r/rails/libactiverecord-ruby1.9.1_2.3.5-1.2+squeeze0.1_all.deb
libactiverecord-ruby_2.3.5-1.2+squeeze0.1_all.deb
  to main/r/rails/libactiverecord-ruby_2.3.5-1.2+squeeze0.1_all.deb
libactiveresource-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb
  to main/r/rails/libactiveresource-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb
libactiveresource-ruby_2.3.5-1.2+squeeze0.1_all.deb
  to main/r/rails/libactiveresource-ruby_2.3.5-1.2+squeeze0.1_all.deb
libactivesupport-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb
  to main/r/rails/libactivesupport-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb
libactivesupport-ruby1.9.1_2.3.5-1.2+squeeze0.1_all.deb
  to main/r/rails/libactivesupport-ruby1.9.1_2.3.5-1.2+squeeze0.1_all.deb
libactivesupport-ruby_2.3.5-1.2+squeeze0.1_all.deb
  to main/r/rails/libactivesupport-ruby_2.3.5-1.2+squeeze0.1_all.deb
rails-doc_2.3.5-1.2+squeeze0.1_all.deb
  to main/r/rails/rails-doc_2.3.5-1.2+squeeze0.1_all.deb
rails-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb
  to main/r/rails/rails-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb
rails_2.3.5-1.2+squeeze0.1.debian.tar.gz
  to main/r/rails/rails_2.3.5-1.2+squeeze0.1.debian.tar.gz
rails_2.3.5-1.2+squeeze0.1.dsc
  to main/r/rails/rails_2.3.5-1.2+squeeze0.1.dsc
rails_2.3.5-1.2+squeeze0.1_all.deb
  to main/r/rails/rails_2.3.5-1.2+squeeze0.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 614864@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated rails package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 30 May 2011 09:43:10 +0200
Source: rails
Binary: rails rails-ruby1.8 rails-doc libactiverecord-ruby libactiverecord-ruby1.8 libactiverecord-ruby1.9.1 libactivesupport-ruby libactivesupport-ruby1.8 libactivesupport-ruby1.9.1 libactionpack-ruby libactionpack-ruby1.8 libactionmailer-ruby libactionmailer-ruby1.8 libactiveresource-ruby libactiveresource-ruby1.8
Architecture: source all
Version: 2.3.5-1.2+squeeze0.1
Distribution: stable-security
Urgency: low
Maintainer: Adam Majer <adamm@zombino.com>
Changed-By: Ondřej Surý <ondrej@debian.org>
Description: 
 libactionmailer-ruby - Framework for generation of customized email messages
 libactionmailer-ruby1.8 - Framework for generation of customized email messages
 libactionpack-ruby - Controller and View framework used by Rails
 libactionpack-ruby1.8 - Controller and View framework used by Rails
 libactiverecord-ruby - ORM database interface for ruby
 libactiverecord-ruby1.8 - ORM database interface for ruby
 libactiverecord-ruby1.9.1 - ORM database interface for ruby
 libactiveresource-ruby - Connects objects and REST web services
 libactiveresource-ruby1.8 - Connects objects and REST web services
 libactivesupport-ruby - utility classes and extensions (Ruby 1.8)
 libactivesupport-ruby1.8 - utility classes and extensions (Ruby 1.8)
 libactivesupport-ruby1.9.1 - utility classes and extensions (Ruby 1.8)
 rails      - MVC ruby based framework geared for web application development
 rails-doc  - Documentation for rails, a MVC ruby based framework
 rails-ruby1.8 - MVC ruby based framework geared for web application development
Closes: 614864
Changes: 
 rails (2.3.5-1.2+squeeze0.1) stable-security; urgency=low
 .
   * Non-maintainer upload.
   * Fix CVE-2011-0446: Be sure to javascript_escape the email address to
     prevent apostrophes inadvertently causing javascript errors.
   * Fix CVE-2011-0447: Change the CSRF whitelisting to only apply to get
     requests (Closes: #614864)
Checksums-Sha1: 
 d1b5dd4331881b8dd33bbfd5492841b5f168edea 1699 rails_2.3.5-1.2+squeeze0.1.dsc
 f8df515f5137e69cefbdb21af94410eb6a0fd4b4 3173705 rails_2.3.5.orig.tar.gz
 d32a873db75c32888731983a1b4afaef38b994b2 21992 rails_2.3.5-1.2+squeeze0.1.debian.tar.gz
 2f9d30f93df62c14cd958fd1ff48bd68e1d4f5be 11878 rails_2.3.5-1.2+squeeze0.1_all.deb
 733d54b60153b1e497ea6ac0acf92773e2c76415 222196 rails-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb
 3729e581a27dabb1f9e76a3ec2d1e6e9ac57ea46 899126 rails-doc_2.3.5-1.2+squeeze0.1_all.deb
 bcafd9d20a27ee7cf12e5f9d738a9fe6df70c93b 9330 libactiverecord-ruby_2.3.5-1.2+squeeze0.1_all.deb
 f52d3133ab952dfb2ced0d1e1aca9a2e3484a90d 265992 libactiverecord-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb
 941f870683358ad716222518651f4a44a44bdefb 265302 libactiverecord-ruby1.9.1_2.3.5-1.2+squeeze0.1_all.deb
 3362b81979dadf1849b3671df2ebb01d5649fc4b 9266 libactivesupport-ruby_2.3.5-1.2+squeeze0.1_all.deb
 abe4b8ab8361a937cf06c40b6c98704f8a3b5457 253658 libactivesupport-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb
 d32bef7b972c2b35a456d7c9596bb79f69298551 253082 libactivesupport-ruby1.9.1_2.3.5-1.2+squeeze0.1_all.deb
 1f0b73e4cd2a4e09b55a436698ae50a2e26b868b 9394 libactionpack-ruby_2.3.5-1.2+squeeze0.1_all.deb
 aad4fd9cec2451506e965070904a96cddc679556 320978 libactionpack-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb
 415ce12fcddb3bb02c5f9dff262ec5b13243c877 9354 libactionmailer-ruby_2.3.5-1.2+squeeze0.1_all.deb
 f7a922b147ac5b653ffaa9460209175f2e47248f 31590 libactionmailer-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb
 55d86927015cbc1a335513812be701f8110a6316 9356 libactiveresource-ruby_2.3.5-1.2+squeeze0.1_all.deb
 2fc37eda971e886be8744e9e277243594d0592ba 36652 libactiveresource-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb
Checksums-Sha256: 
 af896c43c483f87a2a07f73238adab5947a107ae442779e53edfa538c389c3aa 1699 rails_2.3.5-1.2+squeeze0.1.dsc
 f07416a3655ef24316e6fb8bd57bf00f5b06b9d6191cec15be93d08238ed1313 3173705 rails_2.3.5.orig.tar.gz
 cb3efe5064fe8b6f6a2215debcb01fa6bae1355968330e6a67f9a1ac5f0ac990 21992 rails_2.3.5-1.2+squeeze0.1.debian.tar.gz
 deeaedc7c699a52f246e9a4c454b53495ce72006f0a44cb96614240a1720d711 11878 rails_2.3.5-1.2+squeeze0.1_all.deb
 27b74e9455d91558526fcefc59da5b20a6410222afa817f5dea09a1ebcc1fc91 222196 rails-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb
 fc15660812c74ffd42fa73ffc2084ea39971d2a628072e363c6c99fb0602b5b8 899126 rails-doc_2.3.5-1.2+squeeze0.1_all.deb
 b666cd68aea827c71fb79cf66bdc5fcfe9abcbdad9fdc9205c369882a01d854c 9330 libactiverecord-ruby_2.3.5-1.2+squeeze0.1_all.deb
 3b7455f6366b91db2ba22398b5a52abfc655295bac7b005f62dffe23da3e7f1f 265992 libactiverecord-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb
 885c64b83752b9ec944578f52e7d0644e60783d36c5817b25fe9023328eae803 265302 libactiverecord-ruby1.9.1_2.3.5-1.2+squeeze0.1_all.deb
 4b1a5c3651e73f2b867492fc30604310533c99bff9a7c3cf8f0675bedc040d2f 9266 libactivesupport-ruby_2.3.5-1.2+squeeze0.1_all.deb
 42e33a40091bfa54e036fa8db85e8c0f7747d9b03da51f0388533327e80139c6 253658 libactivesupport-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb
 e74d48d2d2fa18e6304914df67bb4a169508ba1e34fe3689a966bbbba6379371 253082 libactivesupport-ruby1.9.1_2.3.5-1.2+squeeze0.1_all.deb
 8e37177e4c27650507a4cdfe1ca6269cd867e89aa22d78a150d35368ece485cf 9394 libactionpack-ruby_2.3.5-1.2+squeeze0.1_all.deb
 c749c6cdd18b9ccf1de2b12ab1d97329baf23eb1c9c5053a09ed0d9f7b67bc8d 320978 libactionpack-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb
 7557e8a5f33cb2b960d8530ad3f1f42031b906542a0f64e1fcf06fd382fb4e4c 9354 libactionmailer-ruby_2.3.5-1.2+squeeze0.1_all.deb
 d864038a37f40b4034abb1e84f040abeb34a1ec157c33b517e0a0224f67b9f3e 31590 libactionmailer-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb
 9f81f676b5c6040d04afbd2907dfd24cc5d4950afa2add33c0b53d23d85914ca 9356 libactiveresource-ruby_2.3.5-1.2+squeeze0.1_all.deb
 8030e46e687da641c0cc4712d2ea2f249420c922975f6d03356465d02c62a2cb 36652 libactiveresource-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb
Files: 
 dc22c789c5d2fdff7680b8c7cadcec0e 1699 ruby optional rails_2.3.5-1.2+squeeze0.1.dsc
 8e28f9ba645d67dea57a33508d11a56c 3173705 ruby optional rails_2.3.5.orig.tar.gz
 62a691c47f58dc05ef8444e981c63f8a 21992 ruby optional rails_2.3.5-1.2+squeeze0.1.debian.tar.gz
 f90e492aab13cf7f36a932c2ceac2ddb 11878 ruby optional rails_2.3.5-1.2+squeeze0.1_all.deb
 731a5c320f05686df1f00e73bb40b7f6 222196 ruby optional rails-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb
 ac304dc9c8d5c96166f2f35d4813fdd5 899126 doc optional rails-doc_2.3.5-1.2+squeeze0.1_all.deb
 a4a1de01878d2019842f7147b6afa35f 9330 ruby optional libactiverecord-ruby_2.3.5-1.2+squeeze0.1_all.deb
 d9aace2a82b4719ebeb2901ad13bbe20 265992 ruby optional libactiverecord-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb
 7a69c5a24b84a6b669fddc63f529f32a 265302 ruby optional libactiverecord-ruby1.9.1_2.3.5-1.2+squeeze0.1_all.deb
 f8cdfe71f52b6dd8bf86270757d84b2f 9266 ruby optional libactivesupport-ruby_2.3.5-1.2+squeeze0.1_all.deb
 22e96bcc79d29737cd1bda70eff08112 253658 ruby optional libactivesupport-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb
 3536bf36525fbcefff82acee55edc360 253082 ruby optional libactivesupport-ruby1.9.1_2.3.5-1.2+squeeze0.1_all.deb
 a9327d1f282e22799625036891b62652 9394 ruby optional libactionpack-ruby_2.3.5-1.2+squeeze0.1_all.deb
 3045874729f28beb3053f94a13c4d156 320978 ruby optional libactionpack-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb
 3509f8853a99f6c98194c0d20822809d 9354 ruby optional libactionmailer-ruby_2.3.5-1.2+squeeze0.1_all.deb
 b95e66c9a06d521bec448468a046879c 31590 ruby optional libactionmailer-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb
 33d96875656429eadab857318cd9fa5b 9356 ruby optional libactiveresource-ruby_2.3.5-1.2+squeeze0.1_all.deb
 e1819cd6c3acf1b15cbdd9a0aa475a80 36652 ruby optional libactiveresource-ruby1.8_2.3.5-1.2+squeeze0.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk3jh3QACgkQ9OZqfMIN8nOU+wCgqbC7j9wZ9TTsT7Zi/tZokHox
poQAniHBSIzEW/ExfGZN/aV7PSXkmckY
=qMdb
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 05 Jul 2011 07:36:26 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 06:51:18 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.