• FrSIRT Advisory: ADV-2007-3508 ADV-2007-4009
• Bugtraq ID: 26598
• Vendor Specific News/Changelog Entry: http://bugs.gentoo.org/show_bug.cgi?id=195315
  http://dev.rubyonrails.org/changeset/8177
  http://dev.rubyonrails.org/changeset/8177
  http://dev.rubyonrails.org/ticket/10048
  http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release
• Other Advisory URL: http://dev.rubyonrails.org/ticket/10048
• Vendor Specific Advisory URL: http://docs.info.apple.com/article.html?artnum=307179
  http://docs.info.apple.com/article.html?artnum=307224
• Secunia Advisory ID: 27657 27781 28136
• CVE ID: 2007-6077 (see also: NVD)
• Vendor Specific Solution URL: http://security.gentoo.org/glsa/glsa-200711-17.xml
  http://weblog.rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-mainten ......
  http://www.apple.com/support/downloads/securityupdate20070091110411ppc.html
  http://www.apple.com/support/downloads/securityupdate20070091110411universal.html ......
  http://www.apple.com/support/downloads/securityupdate2007009111051.html

Unknown or Incomplete

2007/11/25 18:48:58 | Riding Rails: Ruby on Rails 1.2.6

from: CMS Report's Front Page News | CMS Report

Riding Rails: Ruby on Rails 1.2.6 Submitted by CMS Report on November 25, 2007 - 12:48pm. "The rails core team has released ruby on rails 1.2.6 to address a bug in the fix for session fixation attacks (CVE-2007-5380). The CVE Identifier for this new issue is CVE-2007-6077." Complete Story »

2007/11/25 10:58:51 | Rails 1.2.6 security update

from: Ruby on Rails Security Project — Exploring the Security of Rails and friends.

The rails core team has released ruby on rails 1.2.6 to address a bug in the fix for session fixation attacks (CVE-2007-5380). The CVE Identifier for this new issue is CVE-2007-6077. You should upgrade to this new release if you do not take specific session-fixation counter measures in your application. 1.2.6 also

2007/11/25 08:16:56 | Ruby on Rails 1.2.6: Security and Maintenance Release

from: Nixforce.com a site dedicated to opensource products, like Linux, Debian, php, mysql and more

Ruby on Rails 1.2.6: Security and Maintenance Release The rails core team has released ruby on rails 1.2.6 to address a bug in the fix for session fixation attacks (CVE-2007-5380). The CVE Identifier for this new issue is CVE-2007-6077. You should upgrade to this new release if you do not take

2007/11/24 22:20:13 | Permanent link to Ruby on Rails 1.2.6

from: Pardel’s Blog

Ruby on Rails 1.2.6 November 24, 2007 at 11:19 pm · Filed under Ruby on Rails The rails core team has released ruby on rails 1.2.6 to address a bug in the fix for session fixation attacks(CVE-2007-5380). The CVE Identifier for this new issue is CVE-2007-6077.You should upgrade to this new release if you do not take specific

2007/11/24 22:19:55 | Ruby on Rails 1.2.6: Security and Maintenance Release

from: Riding Rails

The rails core team has released ruby on rails 1.2.6 to address a bug in the fix for session fixation attacks (CVE-2007-5380). The CVE Identifier for this new issue is CVE-2007-6077. You should upgrade to this new release if you do not take specific session-fixation counter measures in your application. 1.2.6 also fixes

2007/11/26 01:35:46 | CVE-2007-6077 (Ruby on Rails)

from: VulnAware.com

The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes :cookie_only to only be applied to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks