Re: Rails XSS hole

To: Adam Majer <adamm@zombino.com>
Cc: debian-security@lists.debian.org
Subject: Re: Rails XSS hole
From: Florian Weimer <fw@deneb.enyo.de>
Date: Sun, 31 Jan 2010 22:29:58 +0100
Message-id: <[🔎] 874om2dktl.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 20100131052903.GA16528@mira.lan.galacticasoftware.com> (Adam Majer's message of "Sat, 30 Jan 2010 23:29:03 -0600")
References: <[🔎] 20100131052903.GA16528@mira.lan.galacticasoftware.com>

* Adam Majer:

> I have prepared a package with the changes. The patch is attached
> (patch1 - 1 line fix). One of the unit tests added in the security
> patch exposes another bug in rails in stable. This bug can be easily
> fixed via the 2nd patch (patch2, attached - 6 line fix). Is it
> possible to include both of these patches into a security change or
> only the security patch is permitted?

It is fine to include bug fixes which would be acceptable to
stable-proposed-updates.  Based on your description, this seems to
apply here.

> I'll need someone from security team to contact me regarding this
> update. (ie. when to upload, etc.)

Please send full debdiffs to <security@debian.org> prior to upload
(preferably for both stable and oldstable).

Note that a fix for CVE-2009-3086 is missing, too.

Reply to:

References:
- Rails XSS hole
  - From: Adam Majer <adamm@zombino.com>

Prev by Date: Re: centerim stable update for CVE-2008-4776
Previous by thread: Rails XSS hole
Next by thread: Re: centerim stable update for CVE-2008-4776
Index(es):
- Date
- Thread