Common Vulnerabilities and Exposures assigned an identifier CVE-2010-3933 to the following vulnerability: Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs. References: [1] http://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0 [2] http://securitytracker.com/id?1024624 [3] http://secunia.com/advisories/41930 [4] http://www.vupen.com/english/advisories/2010/2719 [5] https://bugs.gentoo.org/show_bug.cgi?id=386377
This issue did not affect the versions of the rubygem-activerecord package, as shipped with Fedora release of 14 and 15 (the current rubygem-activerecord package versions in these releases already contain relevant upstream patches). -- This issue did not affect the version of the rubygem-activerecord package, as present within EPEL-5 repository. That rubygem-activerecord package version does not contain affected code part yet.
rubygem-actionpack-2.3.18-1.el5, rubygem-activerecord-2.3.18-1.el5, rubygem-activesupport-2.3.18-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.