From: "hsbt (Hiroshi SHIBATA)" <noreply@ruby-lang.org>
To: ruby-core@ml.ruby-lang.org
Subject: [ruby-core:111191] [Ruby master Misc#19178] How does CRuby handle CVE issues in stdlib gems which get patched?
Date: Sat, 03 Dec 2022 23:08:59 +0000 (UTC) [thread overview]
Message-ID: <redmine.journal-100475.20221203230858.52585@ruby-lang.org> (raw)
In-Reply-To: redmine.issue-19178.20221203211952.52585@ruby-lang.org
Issue #19178 has been updated by hsbt (Hiroshi SHIBATA).
>But your way of updating "json" as a normal gem over the default gem means that whenever ruby is used with --disable-gems then the updated version is not used and thus a CVE could still be exposed.
`--disable-gems` is only development option for debugging the Ruby binary. Do not use it for application or software development.
----------------------------------------
Misc #19178: How does CRuby handle CVE issues in stdlib gems which get patched?
https://bugs.ruby-lang.org/issues/19178#change-100475
* Author: Segaja (Andreas Schleifer)
* Status: Open
* Priority: Normal
----------------------------------------
If there is a CVE issue in one of the stdlibs ( https://stdgems.org/ ) which gets patched, what is CRubys approach on how to push this critical fix to the users?
As far as I know stdlibs get only updated for the users if CRuby releases a new version. So will CRuby always release a new version if there is a critical fix an stdlib "needs" to be updated?
--
https://bugs.ruby-lang.org/
______________________________________________
ruby-core mailing list -- ruby-core@ml.ruby-lang.org
To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-core.ml.ruby-lang.org/
next prev parent reply other threads:[~2022-12-03 23:09 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-03 21:19 [ruby-core:111183] [Ruby master Misc#19178] How does CRuby handle CVE issues in stdlib gems which get patched? Segaja (Andreas Schleifer)
2022-12-03 21:53 ` [ruby-core:111184] " hsbt (Hiroshi SHIBATA)
2022-12-03 21:55 ` [ruby-core:111185] " Segaja (Andreas Schleifer)
2022-12-03 22:11 ` [ruby-core:111186] " austin (Austin Ziegler)
2022-12-03 22:14 ` [ruby-core:111187] " Segaja (Andreas Schleifer)
2022-12-03 22:20 ` [ruby-core:111188] " austin (Austin Ziegler)
2022-12-03 22:55 ` [ruby-core:111189] " hsbt (Hiroshi SHIBATA)
2022-12-03 23:03 ` [ruby-core:111190] " Segaja (Andreas Schleifer)
2022-12-03 23:08 ` hsbt (Hiroshi SHIBATA) [this message]
2022-12-04 0:03 ` [ruby-core:111192] " ioquatix (Samuel Williams)
2022-12-04 15:10 ` [ruby-core:111200] " graywolf (Gray Wolf)
2022-12-13 4:35 ` [ruby-core:111266] " hsbt (Hiroshi SHIBATA)
2022-12-13 4:35 ` [ruby-core:111267] " hsbt (Hiroshi SHIBATA)
2022-12-13 4:36 ` [ruby-core:111268] " nobu (Nobuyoshi Nakada)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.ruby-lang.org/en/community/mailing-lists/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=redmine.journal-100475.20221203230858.52585@ruby-lang.org \
--to=ruby-core@ruby-lang.org \
--cc=ruby-core@ml.ruby-lang.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).