Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3086 to
the following vulnerability:
A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x
before 2.3.4, leaks information about the complexity of message-digest
signature verification in the cookie store, which might allow remote
attackers to forge a digest via multiple attempts.
This issue affects the version of rubygem-actionpack, as shipped
with Fedora release of 10 (and potentially also with 11 -- didn't check).
I've submitted a build of 2.1.1 with the 2.2.x patch applied for review, I'll submit it to epel-5-updates stable or testing depending on today's feedback;
It doesn't look like rubygem-actionpack-2.1.1-6.el5 was ever submitted to EPEL5; when I look for the latest release version I see -5.el5. Do you still intend to submit that fix?
Created rubygem-actionpack tracking bugs for this issue
Affects: epel-5 [bug 961066]
Tracking bug filed for EPEL5 so this can be followed up there; no need to keep this open when it's fixed everywhere else for the last three years.