[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Rails XSS hole

* Adam Majer:

> I have prepared a package with the changes. The patch is attached
> (patch1 - 1 line fix). One of the unit tests added in the security
> patch exposes another bug in rails in stable. This bug can be easily
> fixed via the 2nd patch (patch2, attached - 6 line fix). Is it
> possible to include both of these patches into a security change or
> only the security patch is permitted?

It is fine to include bug fixes which would be acceptable to
stable-proposed-updates.  Based on your description, this seems to
apply here.

> I'll need someone from security team to contact me regarding this
> update. (ie. when to upload, etc.)

Please send full debdiffs to <security@debian.org> prior to upload
(preferably for both stable and oldstable).

Note that a fix for CVE-2009-3086 is missing, too.

Reply to: