Mention the CVE id in "Ruby 1.9.2-p330 Released"

[postmodern]

There is no mention of the CVE id in Ruby 1.9.2-p330 Released.

[zzak]

Could you please email security@ for these kinds of reports, please? Thank you! <3

[postmodern]

@zzak you appear to be the original author of the blog post, but simply forgot to mention the CVE id.

Soon after announcing the End of Life for 1.9.2 (and 1.8.7), a critical security regression was found in 1.9.2.

[postmodern]

Emailed security@r-l.o as well.

[JuanitoFatas]

Original Pull Request: #809
cc @hone

[sorah]

Um? IMO there's no need to send email on security@... if CVE id already exists.

@zzak This is not existing news post's problem so we can handle this here.

[zzak]

@postmodern what was the CVE id? can you submit a patch? ;)

[postmodern]

@zzak no one seems to know the CVE id, or if one was even requested.

[postmodern]

What's also weird is the v1_9_2_330 tag is missing from the git mirror.

[zzak]

@postmodern I dont think a CVE was ever assigned, as this was considered a bugfix.

Sorry for the confusion.

[postmodern]

Soon after announcing the End of Life for 1.9.2 (and 1.8.7), a critical security regression was found in 1.9.2.

This bug occurs when parsing a long string is using the URI method decode_www_form_component. This can be reproduced by running the following on vulnerable Rubies:

"Critical security regression" doesn't exactly sound like a bugfix. Could you please have security@ request a CVE from MITRE?

[tarcieri]

Use CVE-2014-6438