First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 138323
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Luigi Belli <gigi@warweus.com>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 138323 depends on: Show dependency tree
Bug 138323 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-06-28 02:56 0000 
http://weblog.rubyonrails.org/2006/6/27/rails-1-1-3-security-fix-and-minor-fixes
Security and performance fixes

------- Comment #1 From Jakub Moc (RETIRED) 2006-06-28 03:03:01 0000 ------- 
Security, interested in this?

------- Comment #2 From Wolf Giesen (RETIRED) 2006-06-28 13:55:23 0000 ------- 
For my part, I am, but the description is so vague we need to dig up something
more or audit it (the latter not really being an option given the size of the
project .-), IMHO.

------- Comment #3 From Sune Kloppenborg Jeppesen 2006-06-30 09:14:08 0000 ------- 
Pulling in ruby for advise.

------- Comment #4 From Caleb Tennis 2006-07-03 04:54:42 0000 ------- 
I think we're good asking arches to mark 1.1.4 stable.  It's the official fix,
and if people need earlier verisons within their rails code they can easily do
that with all of the goodies that are provided within reails.

------- Comment #5 From Wolf Giesen (RETIRED) 2006-07-03 05:14:27 0000 ------- 
I'll second that.

------- Comment #6 From Sune Kloppenborg Jeppesen 2006-07-03 05:42:59 0000 ------- 
Arches please test and mark stable.

------- Comment #7 From Lars Weiler (RETIRED) 2006-07-03 07:39:01 0000 ------- 
rails-1.1.4 stable on ppc.

------- Comment #8 From Joshua Jackson 2006-07-05 10:47:06 0000 ------- 
x86 should be done ^.^ *crosses fingers*

------- Comment #9 From Jason Wever (RETIRED) 2006-07-05 18:14:24 0000 ------- 
Stable on SPARC

------- Comment #10 From Thierry Carrez (RETIRED) 2006-07-29 05:44:36 0000 ------- 
amd64, about time to mark stable.

------- Comment #11 From Simon Stelling (RETIRED) 2006-07-31 01:31:43 0000 ------- 
amd64 done. sorry about the huge delay.

------- Comment #12 From Thierry Carrez (RETIRED) 2006-07-31 13:45:32 0000 ------- 
"a security issue with routing that could cause excess CPU usage in Rails
processes when triggered by certain URLs" :  voting no.

------- Comment #13 From Wolf Giesen (RETIRED) 2006-07-31 22:12:15 0000 ------- 
"While certain URLs cause excess CPU usage, other URLs cause Rails to shut down
uncleanly or halt (depending upon deployment environment). You need to upgrade.
(It appears that Rails 1.0 is not vulnerable to this DOS, but I haven&#8217;t
tested.)"

(from http://blog.segment7.net/articles/2006/06/28/upgrade-to-rails-1-1-3-now)

I'd tend to vote yes. It's a bit weak, but there is corporate ruby stuff out
there.

------- Comment #14 From Sune Kloppenborg Jeppesen 2006-08-01 00:50:17 0000 ------- 
I tend to vote NO.

------- Comment #15 From Raphael Marichez 2006-08-01 10:33:00 0000 ------- 
no too

------- Comment #16 From Wolf Giesen (RETIRED) 2006-08-01 21:00:29 0000 ------- 
That should conclude it, then.

------- Comment #17 From Sune Kloppenborg Jeppesen 2006-08-02 00:58:11 0000 ------- 
Closing with NO GLSA.

Feel free to reopen if you disagree.
First Last Prev Next    No search results available      Search page      Enter new bug