Ruby on Rails Wednesday, January 27, 2016

Thanks Matthew, I'll alert the LTS team to this thread for their input :)



On Wednesday, January 27, 2016 at 11:34:18 AM UTC+13, matthewd wrote:

> Rails LTS has released their own patched version of 3.2.22 with the following notes:
>
> [CVE-2016-0753] Possible Input Validation Circumvention in Active Model
> [..]
> Despite what the announcement said, Rails 3.2 is affected. The issue is patched in the new LTS release.
>
> [CVE-2015-7581] Object leak vulnerability for wildcard controller routes in Action Pack
> [..]
> Despite what the announcement said, Rails 3.2 is affected. The issue is patched in the new LTS release.
>
> Given they've identified 3.2 is affected by those two issues, will there be a new official release of 3.2.22 to patch those two vulnerabilities also?


Details of security issues welcome:

> If you run in to security issues, please follow the reporting process which can be found [here](http://rubyonrails.org/security/).


We obviously evaluated all the issues for applicability to 3.2; it's very possible we missed something, but if so, we may need a more specific hint than "it's there". Anyway, we'll have another look.


Matthew


--
mat...@trebex.net

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/4849a25d-cdd3-47ed-bd96-11a73c1d6034%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

No comments:

Post a Comment