I ran across this issue in the Debian BTS:
It seems that by executing an XMLRPC server in ruby in this manner:
It becomes possible to execute any arbitrary commands within the XMLRPC
Attaching a note to the gentoo-advisory - I think it's related. Version in
FC3/FC4 are also affected - should we file a related bugs for those?
It seems Debian ships with a fix?
for FC, it was already there:
Look, this is a bug for RHEL4.
So? We've already shipped.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.