[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 19 Aug 2011 15:03:52 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: Michael Koziarski <michael@...iarski.com>, aaron@...derlovemaking.com,
"Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request: ruby on rails flaws (4)
----- Original Message -----
> Could we get CVEs assigned to these flaws? Upstream had requested CVEs
> prior to disclosure, but didn't receive any.
>
> http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6
>
> 1) Filter Skipping bugs
> http://groups.google.com/group/rubyonrails-security/browse_thread/thread/3420ac71aed312d6
> https://github.com/rails/rails/commit/5f94b93279f6d0682fafb237c301302c107a9552
> https://bugzilla.redhat.com/show_bug.cgi?id=731432
Use CVE-2011-2929
>
> 2) SQL Injection issues
> http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b
> https://github.com/rails/rails/commit/8a39f411dc3c806422785b1f4d5c7c9d58e4bf85
> https://bugzilla.redhat.com/show_bug.cgi?id=731438
Use CVE-2011-2930
>
> 3) Parse error in strip_tags
> http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12
> https://github.com/rails/rails/commit/586a944ddd4d03e66dea1093306147594748037a
> https://bugzilla.redhat.com/show_bug.cgi?id=731436
Use CVE-2011-2931
>
> 4) UTF-8 escaping vulnerability
> http://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195
> https://github.com/rails/rails/commit/bfc432574d0b141fd7fe759edfe9b6771dd306bd
> https://bugzilla.redhat.com/show_bug.cgi?id=731435
Use CVE-2011-2932
Thanks.
--
JB
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
