It's possible that no backporting is required for sid, because rails-1.2.4 has been released:
http://weblog.rubyonrails.com/2007/10/5/rails-1-2-4-maintenance-release So that would leave etch the only target, and I'm not even sure if rails-1.1.6 had json support. So that just leaves lenny, and it might be quicker just to wait the 10 days for it to be promoted from sid to lenny, than to do the work of backporting the XSS fix to 1.2.3. Ciao, Sheldon.
signature.asc
Description: This is a digitally signed message part.