*** This bug is a security vulnerability *** Public security bug reported:
There are a bunch of Rails vulnerabilities that have't been fixed in Ubuntu. First some CVE tracker triaging: CVE-2009-4214: already fixed in lucid (2.2.3-2), can be marked as not-affected. CVE-2011-0446, CVE-2011-0447, CVE-2011-2932: don't affect oneiric (fixed upstream) CVE-2011-2932: doesn't seem to affect lucid-natty as activesupport/lib/active_support/core_ext/string/output_safety.rb doesn't provide a html_escape method in thse versions CVE-2011-2197: doesn't affect Ubuntu, see http://bugs.debian.org/634990 CVE-2011-2929, CVE-2011-3187: seems to only affect 3.x which isn't in Ubuntu ** Affects: rails (Ubuntu) Importance: Undecided Status: Invalid ** Affects: rails (Ubuntu Lucid) Importance: Undecided Status: New ** Affects: rails (Ubuntu Maverick) Importance: Undecided Status: New ** Affects: rails (Ubuntu Natty) Importance: Undecided Status: New ** Affects: rails (Ubuntu Oneiric) Importance: Undecided Status: Invalid ** Visibility changed to: Public ** Also affects: rails (Ubuntu Lucid) Importance: Undecided Status: New ** Also affects: rails (Ubuntu Maverick) Importance: Undecided Status: New ** Also affects: rails (Ubuntu Natty) Importance: Undecided Status: New ** Also affects: rails (Ubuntu Oneiric) Importance: Undecided Status: New ** Changed in: rails (Ubuntu Oneiric) Status: New => Invalid ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-0446 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-0447 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-2930 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-2931 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-3186 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/870846 Title: several vulnerabilities in rails To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rails/+bug/870846/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs