Please sync rails 1.2.4-1 from Debian unstable (main)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
rails (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Feisty |
Won't Fix
|
Medium
|
Unassigned |
Bug Description
Binary package hint: rails
Rationale: fixes two XSS bugs (one with a CVE id).
See also http://
Debian changelog:
rails (1.2.4-1) unstable; urgency=low
* New upstream release. Fixes at least 2 XSS bugs.
+ Secure #sanitize, #strip_tags, and #strip_links helpers against
xss attacks. Upstream changeset 7589
+ to_json did not escape values which allows for XSS. Applied
upstream changesets 6893, 6894. This bug as also been assigned
designation CVE-2007-3227 (closes: #429177)
* Add dependency on Sqlite3 as ActiveRecord supports this DB as
well
* Add dependency on libmocha which is needed by some unit tests
-- Adam Majer <email address hidden> Mon, 08 Oct 2007 11:27:25 -0500
libmocha isn't included in gutsy. So I mailed the Debian maintainer if libmocha is necessary.
He said it's only used for unit test and can be removed.
I will upload a rails package without this dependency.
As long as you merge it to remove the depens on libmocha that we don't have, ack from me.