Re: Rails XSS hole
* Adam Majer:
> I have prepared a package with the changes. The patch is attached
> (patch1 - 1 line fix). One of the unit tests added in the security
> patch exposes another bug in rails in stable. This bug can be easily
> fixed via the 2nd patch (patch2, attached - 6 line fix). Is it
> possible to include both of these patches into a security change or
> only the security patch is permitted?
It is fine to include bug fixes which would be acceptable to
stable-proposed-updates. Based on your description, this seems to
apply here.
> I'll need someone from security team to contact me regarding this
> update. (ie. when to upload, etc.)
Please send full debdiffs to <security@debian.org> prior to upload
(preferably for both stable and oldstable).
Note that a fix for CVE-2009-3086 is missing, too.
Reply to: