From owner-freebsd-ruby@FreeBSD.ORG  Sun Jan 13 21:09:51 2013
Return-Path: <owner-freebsd-ruby@FreeBSD.ORG>
Delivered-To: ruby@FreeBSD.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id F30A5DD2
 for <ruby@FreeBSD.org>; Sun, 13 Jan 2013 21:09:50 +0000 (UTC)
 (envelope-from swills@FreeBSD.org)
Received: from mouf.net (mouf.net [IPv6:2607:fc50:0:4400:216:3eff:fe69:33b3])
 by mx1.freebsd.org (Postfix) with ESMTP id A8FA0CB4
 for <ruby@FreeBSD.org>; Sun, 13 Jan 2013 21:09:50 +0000 (UTC)
Received: from meatwad.mouf.net (cpe-024-162-230-236.nc.res.rr.com
 [24.162.230.236]) (authenticated bits=0)
 by mouf.net (8.14.5/8.14.5) with ESMTP id r0DL9a7K041613
 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT);
 Sun, 13 Jan 2013 21:09:42 GMT (envelope-from swills@FreeBSD.org)
Message-ID: <50F3228D.3050200@FreeBSD.org>
Date: Sun, 13 Jan 2013 21:09:33 +0000
From: Steve Wills <swills@FreeBSD.org>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: Eric <freebsdlists-ruby@chillibear.com>
Subject: Re: RoR: CVE-2013-0155 and CVE-2013-0156 [was Re: ruby and
 CVE-2012-5664]
References: <CD14ACA3.3356A%freebsdlists-ruby@chillibear.com>
In-Reply-To: <CD14ACA3.3356A%freebsdlists-ruby@chillibear.com>
X-Enigmail-Version: 1.4.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7
 (mouf.net [199.48.129.64]); Sun, 13 Jan 2013 21:09:42 +0000 (UTC)
X-Spam-Status: No, score=0.0 required=4.5 tests=none autolearn=unavailable
 version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mouf.net
X-Virus-Scanned: clamav-milter 0.97.6 at mouf.net
X-Virus-Status: Clean
Cc: ruby@FreeBSD.org
X-BeenThere: freebsd-ruby@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: FreeBSD-specific Ruby discussions <freebsd-ruby.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ruby>,
 <mailto:freebsd-ruby-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ruby>
List-Post: <mailto:freebsd-ruby@freebsd.org>
List-Help: <mailto:freebsd-ruby-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ruby>,
 <mailto:freebsd-ruby-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Jan 2013 21:09:51 -0000

On 01/10/13 17:36, Eric wrote:
>>> On 01/05/13 20:58, Olli Hauer wrote:
>>> It seems there are new releases for ruby because an security issue
>>> CVE-2012-5664
>>>
>> The issue is in Ruby On Rails, not Ruby itself. There's an update to
>> Ruby 1.9, but it's not a security issue. I'll see what I can do about
>> the Rails update first, then the rest later.
>>
>> Steve
> 
> Following up on the update to Rails, it doesn't look like it's a good new
> year for Ruby on Rails:
> 
> http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15
> -have-been-released/
> 
> Two more serious exploits listed:
> 
> CVE-2013-0155:
> https://groups.google.com/group/rubyonrails-security/browse_thread/thread/b7
> 5585bae4326af2
> 
> CVE-2013-0156 
> https://groups.google.com/group/rubyonrails-security/browse_thread/thread/eb
> 56e482f9d21934
> 

Yeah, I committed the fixes and vuxml for both sets at the same time.
Thanks!

Steve