rails-2.1.1 and rails-2.0.4 released. Probably GLSA-team should open issue.
> An SQL Injection vulnerability has been found in Rails. The issue affects Rails < 2.1.1, namely the :limit and :offset parameters that are not correctly sanitized
> There is a DoS vulnerability in the REXML library included in the Ruby Standard Library. A so-called "XML entity explosion" attack technique can be used for remotely bringing down (disabling) any application which parses user-provided XML using REXML.
Note that the REXML security issue is already handled for all ruby software in ruby 1.8.6-P287-r1.
The first issue is a rails-specific security issue.
I've just added Rails 2.0.4 to CVS. I expect to add 2.1.1 later this weekend.
I propose to test these versions for a week and mark them stable regarding the first security issue unless regressions crop up.
Rails 2.1.1 is now also in CVS.
issue (2) is not resolved by 2.0.4. There's no point in stabling that except for additional hardening of rails users on old ruby versions.
Sorry, I meant issue (1) is not resolved by 2.0.4.
(In reply to comment #5)
> Sorry, I meant issue (1) is not resolved by 2.0.4.
So how should we deal with this security bug, given that 2.0.4 doesn't fix the problem and 2.1.0 is currently not stable yet?
(In reply to comment #6)
> So how should we deal with this security bug, given that 2.0.4 doesn't fix the
> problem and 2.1.0 is currently not stable yet?
That depends on how upstream handles it. If they'll release a 2.0.5 soon, we can bump, otherwise there is a backported patch to 2.X in the bug report.
(In reply to comment #7)
> That depends on how upstream handles it. If they'll release a 2.0.5 soon, we
> can bump, otherwise there is a backported patch to 2.X in the bug report.
Upstream issued two patches for 1.2.x and 2.0.x:
(In reply to comment #8)
> Upstream issued two patches for 1.2.x and 2.0.x:
I've put two ebuilds with these patches into the Ruby overlay.
Unfortunately the patching depends on new gem patching stuff which needs testing before it can be put into the main tree.
*** Bug 239548 has been marked as a duplicate of this bug. ***
Rails 2.0.5 does have the fix for issue 1, limit and offset parameter SQL injection.
Rails 2.0.5 is now in CVS. I propose to test this version for at least a week before stabling it.
Rails 2.1.2 is now out which fixes this bug. http://weblog.rubyonrails.com/2008/10/23/rails-2-1-2-security-other-fixes
Rails 2.1.2 is now in CVS.
Hans, is this ok for stable?
Yes, we are good to go for stabling.
Arches, please stabilize dev-ruby/rails-2.0.5 and dev-ruby/rails-2.1.2 and their dependencies.
In order of dependencies (each dependency has a -2.0.5 and a -2.1.2 version):
Note that we do not have a 2.1.x version stable, however, Rails 2.1.1 was already due for being marked stable, and 2.1.2 contains only this security fix and minor bug fixes.
All stable for sparc, but do not forget that we need:
for rails-2.1.2 as well.
Adding back amd64 and x86. Markus, it looks like you only did the Rails 2.1.2 version. We'd also like Rails 2.0.5 and its dependencies stable, so that we can keep the 2.0.x SLOT around for a bit longer. Let me know if you want me to do the stabling (I'm using this on amd64 and x86 myself).
Arch stable exept ia64 for 2.0.5. What we waiting for? :)
(In reply to comment #24)
> Arch stable exept ia64 for 2.0.5. What we waiting for? :)
Nothing, glsa decision now. I vote YES.
YES too, request filed.