The particular issues are:
# Potential Information Disclosure or DoS with Hash#from_xml
Maliciously crafted requests to a rails application could cause the
XML parser to read files from the server's disk or the network. 1.2.4
removes this functionality entirely.
# Session Fixation attacks.
The session functionality in rails allowed users to provide their
session_id in the URL as well as cookies. The functionality could be
exploited by a malicious user to obtain an authenticated session.
Users who rely on URL based sessions can re-enable them as follows:
config.action_controller.session_options[:session_secure] = true
--
Cheers
Koz
> # Potential Information Disclosure or DoS with Hash#from_xml
CVE-2007-5379
> # Session Fixation attacks.
CVE-2007-5380
> config.action_controller.session_options[:session_secure] = true
This was a typo, to re-enable URL based sessions you need the
following line in your environment.rb file.
config.action_controller.session_options[:cookie_only] = false
--
Cheers
Koz