From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS24940 94.130.0.0/16 X-Spam-Status: No, score=-2.9 required=3.0 tests=AWL,BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_BL_SPAMCOP_NET,SPF_HELO_PASS, SPF_PASS,UNPARSEABLE_RELAY shortcircuit=no autolearn=no autolearn_force=no version=3.4.2 Received: from nue.mailmanlists.eu (nue.mailmanlists.eu [94.130.110.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 19F2E1F601 for ; Sat, 3 Dec 2022 23:03:19 +0000 (UTC) Authentication-Results: dcvr.yhbt.net; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=ruby-lang.org header.i=@ruby-lang.org header.b="f08pyLua"; dkim-atps=neutral Received: from nue.mailmanlists.eu (localhost [127.0.0.1]) by nue.mailmanlists.eu (Postfix) with ESMTP id DB93E7E78A; Sat, 3 Dec 2022 23:03:12 +0000 (UTC) Authentication-Results: nue.mailmanlists.eu; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=ruby-lang.org header.i=@ruby-lang.org header.a=rsa-sha256 header.s=s1 header.b=f08pyLua; dkim-atps=neutral Received: from xtrwkhkc.outbound-mail.sendgrid.net (xtrwkhkc.outbound-mail.sendgrid.net [167.89.16.28]) by nue.mailmanlists.eu (Postfix) with ESMTPS id 4F9187E740 for ; Sat, 3 Dec 2022 23:03:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ruby-lang.org; h=from:references:subject:mime-version:content-type: content-transfer-encoding:list-id:to:cc:content-type:from:subject:to; s=s1; bh=P/aSz6tEbkDl3XsvWAbemRMt/afys01inbctGzsGWsE=; b=f08pyLuaVxXfVae+A6MYj/Iz8XQeCLKqtQdGwzhOOd6nxBBkXf/6i3PNzW8+EjgDLdW1 9XOykFP45+lN2RRqG0ZeeeRlWcvSOZQjHf95fFkYECr7NR13+l8GeSTmdyrMLSi7zXVZXz G3chQn5+8VmLE5GneYn/QWn9nnHhwzDd4NFN1nQ9cvmHNvnMnK66uaTHaYBVy7WkXJubjW EJNTD6FsBDgN0m2CTKRkUbsnQnjmGM2zj1r8T0ocWzHSr9tTGMZ0fuDB9+0C77SN0iMras IAINRS4YC6NP7OqFMP15drqKOo1dtOJAKlMUi3Tnh0u2YTmDhWUsXCqpfLejrh4w== Received: by filterdrecv-6f5868ff54-kphpw with SMTP id filterdrecv-6f5868ff54-kphpw-1-638BD5AB-60 2022-12-03 23:03:07.967580748 +0000 UTC m=+1382177.777591605 Received: from herokuapp.com (unknown) by geopod-ismtpd-5-6 (SG) with ESMTP id rl6dEVNvQwySFbRg9YqHkA for ; Sat, 03 Dec 2022 23:03:07.904 +0000 (UTC) Date: Sat, 03 Dec 2022 23:03:08 +0000 (UTC) From: "Segaja (Andreas Schleifer)" Message-ID: References: Mime-Version: 1.0 X-Redmine-Project: ruby-master X-Redmine-Issue-Tracker: Misc X-Redmine-Issue-Id: 19178 X-Redmine-Issue-Author: Segaja X-Redmine-Sender: Segaja X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-Redmine-MailingListIntegration-Message-Ids: 87542 X-SG-EID: =?us-ascii?Q?52aAbMi+wgaTIjiqmwFljYeAEr0ob8dcvFpVgqIqbJ8OmkxHNBL1dbrX0Y5vmg?= =?us-ascii?Q?3l9To1HI15ozhxLz8oHoKkrn+CyuZyfgsgAFwXu?= =?us-ascii?Q?0PxoDUP=2FNspPr1j4LR=2FZ9WR90IS3oHtL3ns+xdQ?= =?us-ascii?Q?G0iwK2Fm7gH4UlAsK3CIts0x8SCm5P7un84UCuk?= =?us-ascii?Q?ofPEIrEHGdIIraDJXSQDwkxIeoAQ+ncWuDqSKY6?= =?us-ascii?Q?LssAG0kXPYtyKuqDEGzB2lYcJVhQHOV99JEVMLm?= =?us-ascii?Q?zLLiMpm3UGSmD6KiKt+Xw=3D=3D?= To: ruby-core@ml.ruby-lang.org X-Entity-ID: b/2+PoftWZ6GuOu3b0IycA== Message-ID-Hash: 7KZMUF4TQQQ6VKE25TN6DCNWFOHII2AF X-Message-ID-Hash: 7KZMUF4TQQQ6VKE25TN6DCNWFOHII2AF X-MailFrom: bounces+313651-b711-ruby-core=ml.ruby-lang.org@em5188.ruby-lang.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.3 Precedence: list Reply-To: Ruby developers Subject: [ruby-core:111190] [Ruby master Misc#19178] How does CRuby handle CVE issues in stdlib gems which get patched? List-Id: Ruby developers Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Issue #19178 has been updated by Segaja (Andreas Schleifer). austin (Austin Ziegler) wrote in #note-5: > No, they can be upgraded independently. That is interesting. The second sentence from https://rubyreferences.github.io/rubyref/stdlib/bundled.html says "Unlike standard library, these gems can be updated independently from Ruby itself." But your way of updating "json" as a normal gem over the default gem means that whenever ruby is used with `--disable-gems` then the updated version is not used and thus a CVE could still be exposed. Also doing such updates with a major version could break a lot of software which for example breaks with `psych` version 4.x as far as I know. But I think my question remains: If I (as Arch maintainer) don't update (package the gem as new package) the gem, then how long will it take for a CVE to be fixed in the default ruby release? ---------------------------------------- Misc #19178: How does CRuby handle CVE issues in stdlib gems which get patched? https://bugs.ruby-lang.org/issues/19178#change-100474 * Author: Segaja (Andreas Schleifer) * Status: Open * Priority: Normal ---------------------------------------- If there is a CVE issue in one of the stdlibs ( https://stdgems.org/ ) which gets patched, what is CRubys approach on how to push this critical fix to the users? As far as I know stdlibs get only updated for the users if CRuby releases a new version. So will CRuby always release a new version if there is a critical fix an stdlib "needs" to be updated? -- https://bugs.ruby-lang.org/ ______________________________________________ ruby-core mailing list -- ruby-core@ml.ruby-lang.org To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-core.ml.ruby-lang.org/