Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 3 Jan 2013 12:47:59 -0800
From: Seth Arnold <seth.arnold@...onical.com>
To: Carlos Alberto Lopez Perez <clopez@...lia.com>
Cc: oss-security@...ts.openwall.com,
	Aaron Patterson <tenderlove@...y-lang.org>,
	rubyonrails-security@...glegroups.com
Subject: Re: SQL Injection Vulnerability in Ruby on Rails
 (CVE-2012-5664)

On Thu, Jan 03, 2013 at 05:43:46PM +0100, Carlos Alberto Lopez Perez wrote:
> On 03/01/13 13:30, Carlos Alberto Lopez Perez wrote:
> > CVE-2012-5664 literally says:

> > And both Debian and Ubuntu have marked this CVE as NOT-FOR-US because of
> > this (they don't ship Authlogic gem).
> So I think the description for CVE-2012-5664 is incorrect and should be
> amended ASAP. Otherwise it will lead to confusion. People not using
> Authlogic would believe (wrongly) that they are not affected.

Thank you for the clarifying email and link to the very useful blog
post. I had indeed said NOT-FOR-US because we don't ship authlogic, but
we certainly do ship Active Record. I've updated Ubuntu's triage data.

> http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts

Thanks!


Download attachment "signature.asc" of type "application/pgp-signature" (491 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.