** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** Michael Koziarski informed us about the following issue: There is a vulnerability in the escaping code for the form helpers in Ruby on Rails. Attackers who can inject deliberately malformed unicode strings into the form helpers can defeat the escaping checks and inject arbitrary HTML. Versions Affected: 2.0.0 and *all* subsequent versions. Not affected: Applications running on ruby 1.9 Fixed Versions: 2.3.4, 2.2.3 Impact Due to the way that most databases either don't accept or actively cleanse malformed unicode strings this vulnerability is most likely to be exploited by non-persistent attacks however persistent attacks may still be possible in some configurations. *All* users of affected versions are advised to upgrade to a fixed versions.
I'd say we wait until the official release, prepare for a 0-day bump and call arches after that. It's "just" XSS and we only have a little over two days. Prestabling would be an overkill imo. Hans?
Sounds good to me in principle, yes. My two worries based on past upstream performance are: a) whether they will actually have new releases ready in time (last time took weeks after the announcement), and b) whether the new releases contain only the security fix. Last time their release also included a lot of other changed code which caused issues. I agree with Alex's strategy. If it turns out on the day itself that we don't trust the new release or it isn't ready we can create a bump at that time ourselves.
I've just added Rails 2.3.4 to the tree. I've run the specs and features with it for our two major applications and both seem to work as expected. As far as I can tell Rails 2.2.3 has not been released yet.
This is now public per $URL.
CVE-2009-3086 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3086): A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts.
My testing hasn't resulted in any issues, so as far as I'm concerned we are good to go here with stabilization.
Arches, please test and mark stable: =dev-ruby/rails-2.3.4 =dev-ruby/activerecord-2.3.4 =dev-ruby/activeresource-2.3.4 =dev-ruby/activesupport-2.3.4 =dev-ruby/actionmailer-2.3.4 =dev-ruby/actionpack-2.3.4 Target keywords : "amd64 ia64 ppc ppc64 sparc x86"
We also need a newer rubygems stable, stabling of that via bug 284911.
amd64/x86 stable
ia64/sparc stable
ppc stable
ppc64 done
Arches, please test and mark stable: =dev-ruby/rails-2.2.3 =dev-ruby/activerecord-2.2.3 =dev-ruby/activeresource-2.2.3 =dev-ruby/activesupport-2.2.3 =dev-ruby/actionmailer-2.2.3 =dev-ruby/actionpack-2.2.3" Target keywords : "amd64 ia64 ppc ppc64 sparc x86"
x86 stable
amd64 stable
GLSA together with bug 237385.
GLSA 200912-02
