Candidate: CVE-2011-2929
PublicDate: 2011-08-29 18:55:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2929
 http://www.openwall.com/lists/oss-security/2011/08/19/11
 http://groups.google.com/group/rubyonrails-security/browse_thread/thread/3420ac71aed312d6
 https://bugzilla.redhat.com/show_bug.cgi?id=731432
Description:
 The template selection functionality in
 actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x
 before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob
 characters, which allows remote attackers to render arbitrary views via a
 crafted URL, related to a "filter skipping vulnerability."
Ubuntu-Description: 
Notes: 
 mdeslaur> only affects 3.x
Bugs: 
Priority: medium
Discovered-by:
Assigned-to: 
CVSS: 

Patches_rails:
 upstream: http://groups.google.com/group/rubyonrails-security/browse_thread/thread/3420ac71aed312d6
upstream_rails: released (3.0.10)
hardy_rails: ignored (reached end-of-life)
lucid_rails: not-affected (2.2.3-2)
maverick_rails: not-affected (2.3.5-1.1)
natty_rails: not-affected (2.3.5-1.2ubuntu1)
devel_rails: not-affected (2.3.14.1)