Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1093098424.141863.1313780632015.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com>
Date: Fri, 19 Aug 2011 15:03:52 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: Michael Koziarski <michael@...iarski.com>, aaron@...derlovemaking.com,
        "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request: ruby on rails flaws (4)



----- Original Message -----
> Could we get CVEs assigned to these flaws? Upstream had requested CVEs
> prior to disclosure, but didn't receive any.
> 
> http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6
> 
> 1) Filter Skipping bugs
> http://groups.google.com/group/rubyonrails-security/browse_thread/thread/3420ac71aed312d6
> https://github.com/rails/rails/commit/5f94b93279f6d0682fafb237c301302c107a9552
> https://bugzilla.redhat.com/show_bug.cgi?id=731432

Use CVE-2011-2929


> 
> 2) SQL Injection issues
> http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b
> https://github.com/rails/rails/commit/8a39f411dc3c806422785b1f4d5c7c9d58e4bf85
> https://bugzilla.redhat.com/show_bug.cgi?id=731438

Use CVE-2011-2930


> 
> 3) Parse error in strip_tags
> http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12
> https://github.com/rails/rails/commit/586a944ddd4d03e66dea1093306147594748037a
> https://bugzilla.redhat.com/show_bug.cgi?id=731436

Use CVE-2011-2931


> 
> 4) UTF-8 escaping vulnerability
> http://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195
> https://github.com/rails/rails/commit/bfc432574d0b141fd7fe759edfe9b6771dd306bd
> https://bugzilla.redhat.com/show_bug.cgi?id=731435

Use CVE-2011-2932

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.