A security issue fixed upstream has been announced today (July 2): http://openwall.com/lists/oss-security/2014/07/02/5 The issue is fixed upstream in versions 4.0.7 and 4.1.3. This should be updated along with the rest of the packages in the rails suite, which would also fix Bug 13339. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
Depends on: (none) => 13339
4.1.3 submitted to cauldron.
Whiteboard: MGA4TOO => (none)Version: Cauldron => 4
4.0.7 submitted to 4/updates_testing
Thanks Pascal! Unfortunately it was just announced that the CVE fixed caused a regression. Patches against 4.0.7 and 4.1.3 are posted here: http://seclists.org/oss-sec/2014/q3/10
Submitted patched versions
Thanks again Pascal! Upstream has released 4.1.4 and 4.0.8 to include the regression fix patches: http://weblog.rubyonrails.org/2014/7/2/Rails_4_0_8_and_4_1_4_have_been_released/ We can go with what you've already built, or you can update it again. I'll leave that up to you. We'll handle the update with QA in Bug 13339. I'll wait until tomorrow to assign to QA.
4.1.4 and 4.0.8 submitted
Thank you so much Pascal! Sorry you had to do it three times :o(
RedHat has issued an advisory for this on July 14: https://rhn.redhat.com/errata/RHSA-2014-0877.html
URL: (none) => http://lwn.net/Vulnerabilities/605460/
Fixed: http://advisories.mageia.org/MGASA-2014-0303.html
Status: NEW => RESOLVEDResolution: (none) => FIXED