A flaw in the template selection code in Ruby on Rails >=3.0 could allow an attacker to render a view they should not have access to [1]. This is corrected in 3.0.10 and 3.1.0rc6, patches are available in the advisory [1] and in git [2]. [1] http://groups.google.com/group/rubyonrails-security/browse_thread/thread/3420ac71aed312d6 [2] https://github.com/rails/rails/commit/5f94b93279f6d0682fafb237c301302c107a9552
This flaw is in rubygem-actionpack, not rubygem-rails.
Created rubygem-actionpack tracking bugs for this issue Affects: fedora-15 [bug 731448]
I'm not really familiar with the Fedora security response procedures, but don't we also need a F-16 and rawhide bug as well? Since the flaw was just fixed yesterday, the problem will be in all 3.
You should be able to use the same tracking bug for all three.
OK, thanks, that's what I wanted to know.
This issue has been assigned the name CVE-2011-2929: http://www.openwall.com/lists/oss-security/2011/08/19/11
This issue does not affect the version of rubygem-actionpack shipped with Fedora 14. This issue has been addressed in Fedora-15 and upcoming Fedora-16 via the following advisories: fedora-15: https://admin.fedoraproject.org/updates/rubygem-actionpack-3.0.5-4.fc15 fedora-16: https://admin.fedoraproject.org/updates/rubygem-activesupport-3.0.10-1.fc16,rubygem-activemodel-3.0.10-1.fc16,rubygem-activerecord-3.0.10-1.fc16,rubygem-activeresource-3.0.10-1.fc16,rubygem-actionpack-3.0.10-1.fc16,rubygem-actionmailer-3.0.10-1.fc16,rubygem-railties-3.0.10-1.fc16,rubygem-rails-3.0.10-1.fc16