From owner-freebsd-ruby@FreeBSD.ORG  Thu Jan 10 17:36:53 2013
Return-Path: <owner-freebsd-ruby@FreeBSD.ORG>
Delivered-To: ruby@FreeBSD.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id E80D5875;
 Thu, 10 Jan 2013 17:36:53 +0000 (UTC)
 (envelope-from freebsdlists-ruby@chillibear.com)
Received: from mail.sundive.org (mail.sundive.org [212.13.197.214])
 by mx1.freebsd.org (Postfix) with ESMTP id B63B3B2F;
 Thu, 10 Jan 2013 17:36:53 +0000 (UTC)
Received: from [146.90.69.88] (helo=[192.168.0.44])
 by sundive.org with esmtpsa (TLSv1:DES-CBC3-SHA:168)
 (Exim 4.72 (FreeBSD))
 (envelope-from <freebsdlists-ruby@chillibear.com>)
 id 1TtM3Y-0005Hz-23; Thu, 10 Jan 2013 17:36:46 +0000
User-Agent: Microsoft-Entourage/12.35.0.121009
Date: Thu, 10 Jan 2013 17:36:35 +0000
Subject: RoR: CVE-2013-0155 and CVE-2013-0156 [was Re: ruby and CVE-2012-5664]
From: Eric <freebsdlists-ruby@chillibear.com>
To: <ruby@FreeBSD.org>
Message-ID: <CD14ACA3.3356A%freebsdlists-ruby@chillibear.com>
Thread-Topic: RoR: CVE-2013-0155 and CVE-2013-0156 [was Re: ruby and
 CVE-2012-5664]
Thread-Index: Ac3vWQlBPrIZ84uTLkiWfNdatlScag==
In-Reply-To: <50EA2F0E.1050006@FreeBSD.org>
Mime-version: 1.0
Content-type: text/plain;
	charset="US-ASCII"
Content-transfer-encoding: 7bit
X-Spam_score: -2.9
X-Spam_score_int: -28
X-Spam_bar: --
X-Spam: No
X-bounce-key: sundive.org-1; freebsdlists-ruby@chillibear.com; 1357839413;
 af8b2852; 
Cc: Steve Wills <swills@FreeBSD.org>
X-BeenThere: freebsd-ruby@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: FreeBSD-specific Ruby discussions <freebsd-ruby.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ruby>,
 <mailto:freebsd-ruby-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ruby>
List-Post: <mailto:freebsd-ruby@freebsd.org>
List-Help: <mailto:freebsd-ruby-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ruby>,
 <mailto:freebsd-ruby-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jan 2013 17:36:54 -0000

>> On 01/05/13 20:58, Olli Hauer wrote:
>> It seems there are new releases for ruby because an security issue
>> CVE-2012-5664
>> 
> The issue is in Ruby On Rails, not Ruby itself. There's an update to
> Ruby 1.9, but it's not a security issue. I'll see what I can do about
> the Rails update first, then the rest later.
> 
> Steve

Following up on the update to Rails, it doesn't look like it's a good new
year for Ruby on Rails:

http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15
-have-been-released/

Two more serious exploits listed:

CVE-2013-0155:
https://groups.google.com/group/rubyonrails-security/browse_thread/thread/b7
5585bae4326af2

CVE-2013-0156 
https://groups.google.com/group/rubyonrails-security/browse_thread/thread/eb
56e482f9d21934