Candidate: CVE-2011-3187
PublicDate: 2011-08-29 18:55:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3187
 http://www.openwall.com/lists/oss-security/2011/08/22/14
 http://webservsec.blogspot.com/2011/02/ruby-on-rails-vulnerability.html
Description:
 The to_s method in actionpack/lib/action_dispatch/middleware/remote_ip.rb
 in Ruby on Rails 3.0.5 does not validate the X-Forwarded-For header in
 requests from IP addresses on a Class C network, which might allow remote
 attackers to inject arbitrary text into log files or bypass intended
 address parsing via a crafted header.
Ubuntu-Description: 
Notes: 
 mdeslaur> looks like it's 3.x only
Bugs: 
 https://bugzilla.novell.com/show_bug.cgi?id=673010
Priority: low
Discovered-by:
Assigned-to: 
CVSS: 

Patches_rails:
upstream_rails: needs-triage
hardy_rails: ignored (reached end-of-life)
lucid_rails: not-affected (2.2.3-2)
maverick_rails: not-affected (2.3.5-1.1)
natty_rails: not-affected (2.3.5-1.2ubuntu1)
devel_rails: not-affected (2.3.14.1)