> - CVE-2011-2932 does seem to affect lucid, as the insecure code seems to be present in actionpack/lib/action_view/erb/util.rb
Ah yes, but the affected code is in actionpack/lib/action_view/template_handlers/erb.rb
> - Please add the upstream commit that fixed each issue to debian/changelog, so we can trace where the fix came from
I've added links to the rubyonrails-security threads.
> Also, did you successfully run the test suite after updating the package?
Yes, for mysql and sqlite. One test failed but I think that's an error in the test code that seems to be fixed by https://rails.lighthouseapp.com/projects/8994/tickets/3826-patch-failure-on-test_validates_acceptance_of_as_database_column
I've also discovered a mistake in the patch for CVE-2011-0446 which I've fixed now.
> - CVE-2011-2932 does seem to affect lucid, as the insecure code seems to be present in actionpack/ lib/action_ view/erb/ util.rb
Ah yes, but the affected code is in actionpack/ lib/action_ view/template_ handlers/ erb.rb
> - Please add the upstream commit that fixed each issue to debian/changelog, so we can trace where the fix came from
I've added links to the rubyonrails- security threads.
> Also, did you successfully run the test suite after updating the package?
Yes, for mysql and sqlite. /rails. lighthouseapp. com/projects/ 8994/tickets/ 3826-patch- failure- on-test_ validates_ acceptance_ of_as_database_ column
One test failed but I think that's an error in the test code that seems to be fixed by https:/
I've also discovered a mistake in the patch for CVE-2011-0446 which I've fixed now.