Adam Majer wrote:
> Florian Weimer wrote:
> >Package: rails
> >Version: 1.2.3-2
> >Severity: grave
> >Tags: security upstream
> >
> >An XSS vulnerability in code that uses to_json has been disclosed:
> >
> > <http://dev.rubyonrails.org/ticket/8371>
> >
> >Please mention the name CVE-2007-3227 in the changelog when fixing
> >this bug. Do you think that an upgrade for the stable distribution is
> >necessary?
>
> I will take a look at it this weekend. Stable may need to be updated as
> well.
>
> Since this is a XSS problem, I don't think it needs a grave severity.
> But then some will argue otherwise. Also, nothing on the "Ruby on Rails
> security announcement list"... hmmmm....
(Note, I don't know Ruby on Rails). Does the affected function claim to sanitise
potentially harmful characters? If not, sanitising still needs to be done inside
the application using RoR and this is mostly a security-related wishlist
bug, but not an immediate vulnerability.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
