* [ruby-core:58757] [Backport93 - Backport #9193][Open] ruby 1.9.3-p484 still vulnerable to CVE-2013-4287 and CVE-2013-4363 in included rubygems 1.8.23
@ 2013-12-02 0:02 jeremyevans0 (Jeremy Evans)
2013-12-15 20:12 ` [ruby-core:59123] [Backport93 - Backport #9193] " drbrain (Eric Hodel)
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: jeremyevans0 (Jeremy Evans) @ 2013-12-02 0:02 UTC (permalink / raw
To: ruby-core
Issue #9193 has been reported by jeremyevans0 (Jeremy Evans).
----------------------------------------
Backport #9193: ruby 1.9.3-p484 still vulnerable to CVE-2013-4287 and CVE-2013-4363 in included rubygems 1.8.23
https://bugs.ruby-lang.org/issues/9193
Author: jeremyevans0 (Jeremy Evans)
Status: Open
Priority: High
Assignee:
Category:
Target version:
It appears that ruby 2.0.0-p353 included an update to rubygems 2.0.10 which fixes CVE-2013-4287 and CVE-2013-4363. ruby 1.9.3-p484 did not contain an update to the included rubygems, so it is still vulnerable. ruby 1.9.3 should either be updated to use rubygems 1.8.27 or 1.8.28, or the attached patch should be applied to fix the two CVEs.
--
http://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
* [ruby-core:59123] [Backport93 - Backport #9193] ruby 1.9.3-p484 still vulnerable to CVE-2013-4287 and CVE-2013-4363 in included rubygems 1.8.23
2013-12-02 0:02 [ruby-core:58757] [Backport93 - Backport #9193][Open] ruby 1.9.3-p484 still vulnerable to CVE-2013-4287 and CVE-2013-4363 in included rubygems 1.8.23 jeremyevans0 (Jeremy Evans)
@ 2013-12-15 20:12 ` drbrain (Eric Hodel)
2013-12-15 20:13 ` [ruby-core:59124] [Backport93 - Backport #9193][Assigned] " drbrain (Eric Hodel)
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: drbrain (Eric Hodel) @ 2013-12-15 20:12 UTC (permalink / raw
To: ruby-core
Issue #9193 has been updated by drbrain (Eric Hodel).
File ruby_1_9_3.rubygems.1.8.23.2.patch added
Here's the patch I sent to security@ruby-lang.org
----------------------------------------
Backport #9193: ruby 1.9.3-p484 still vulnerable to CVE-2013-4287 and CVE-2013-4363 in included rubygems 1.8.23
https://bugs.ruby-lang.org/issues/9193#change-43686
Author: jeremyevans0 (Jeremy Evans)
Status: Open
Priority: High
Assignee:
Category:
Target version:
It appears that ruby 2.0.0-p353 included an update to rubygems 2.0.10 which fixes CVE-2013-4287 and CVE-2013-4363. ruby 1.9.3-p484 did not contain an update to the included rubygems, so it is still vulnerable. ruby 1.9.3 should either be updated to use rubygems 1.8.27 or 1.8.28, or the attached patch should be applied to fix the two CVEs.
--
http://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
* [ruby-core:59124] [Backport93 - Backport #9193][Assigned] ruby 1.9.3-p484 still vulnerable to CVE-2013-4287 and CVE-2013-4363 in included rubygems 1.8.23
2013-12-02 0:02 [ruby-core:58757] [Backport93 - Backport #9193][Open] ruby 1.9.3-p484 still vulnerable to CVE-2013-4287 and CVE-2013-4363 in included rubygems 1.8.23 jeremyevans0 (Jeremy Evans)
2013-12-15 20:12 ` [ruby-core:59123] [Backport93 - Backport #9193] " drbrain (Eric Hodel)
@ 2013-12-15 20:13 ` drbrain (Eric Hodel)
2013-12-22 5:10 ` [ruby-core:59264] [Backport93 - Backport #9193] " usa (Usaku NAKAMURA)
2013-12-22 5:10 ` [ruby-core:59265] [Backport93 - Backport #9193][Closed] " usa (Usaku NAKAMURA)
3 siblings, 0 replies; 5+ messages in thread
From: drbrain (Eric Hodel) @ 2013-12-15 20:13 UTC (permalink / raw
To: ruby-core
Issue #9193 has been updated by drbrain (Eric Hodel).
Status changed from Open to Assigned
Assignee set to usa (Usaku NAKAMURA)
----------------------------------------
Backport #9193: ruby 1.9.3-p484 still vulnerable to CVE-2013-4287 and CVE-2013-4363 in included rubygems 1.8.23
https://bugs.ruby-lang.org/issues/9193#change-43687
Author: jeremyevans0 (Jeremy Evans)
Status: Assigned
Priority: High
Assignee: usa (Usaku NAKAMURA)
Category:
Target version:
It appears that ruby 2.0.0-p353 included an update to rubygems 2.0.10 which fixes CVE-2013-4287 and CVE-2013-4363. ruby 1.9.3-p484 did not contain an update to the included rubygems, so it is still vulnerable. ruby 1.9.3 should either be updated to use rubygems 1.8.27 or 1.8.28, or the attached patch should be applied to fix the two CVEs.
--
http://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
* [ruby-core:59264] [Backport93 - Backport #9193] ruby 1.9.3-p484 still vulnerable to CVE-2013-4287 and CVE-2013-4363 in included rubygems 1.8.23
2013-12-02 0:02 [ruby-core:58757] [Backport93 - Backport #9193][Open] ruby 1.9.3-p484 still vulnerable to CVE-2013-4287 and CVE-2013-4363 in included rubygems 1.8.23 jeremyevans0 (Jeremy Evans)
2013-12-15 20:12 ` [ruby-core:59123] [Backport93 - Backport #9193] " drbrain (Eric Hodel)
2013-12-15 20:13 ` [ruby-core:59124] [Backport93 - Backport #9193][Assigned] " drbrain (Eric Hodel)
@ 2013-12-22 5:10 ` usa (Usaku NAKAMURA)
2013-12-22 5:10 ` [ruby-core:59265] [Backport93 - Backport #9193][Closed] " usa (Usaku NAKAMURA)
3 siblings, 0 replies; 5+ messages in thread
From: usa (Usaku NAKAMURA) @ 2013-12-22 5:10 UTC (permalink / raw
To: ruby-core
Issue #9193 has been updated by usa (Usaku NAKAMURA).
fixed at r44335.
Thank you for reporting and patching!
----------------------------------------
Backport #9193: ruby 1.9.3-p484 still vulnerable to CVE-2013-4287 and CVE-2013-4363 in included rubygems 1.8.23
https://bugs.ruby-lang.org/issues/9193#change-43822
Author: jeremyevans0 (Jeremy Evans)
Status: Assigned
Priority: High
Assignee: usa (Usaku NAKAMURA)
Category:
Target version:
It appears that ruby 2.0.0-p353 included an update to rubygems 2.0.10 which fixes CVE-2013-4287 and CVE-2013-4363. ruby 1.9.3-p484 did not contain an update to the included rubygems, so it is still vulnerable. ruby 1.9.3 should either be updated to use rubygems 1.8.27 or 1.8.28, or the attached patch should be applied to fix the two CVEs.
--
http://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
* [ruby-core:59265] [Backport93 - Backport #9193][Closed] ruby 1.9.3-p484 still vulnerable to CVE-2013-4287 and CVE-2013-4363 in included rubygems 1.8.23
2013-12-02 0:02 [ruby-core:58757] [Backport93 - Backport #9193][Open] ruby 1.9.3-p484 still vulnerable to CVE-2013-4287 and CVE-2013-4363 in included rubygems 1.8.23 jeremyevans0 (Jeremy Evans)
` (2 preceding siblings ...)
2013-12-22 5:10 ` [ruby-core:59264] [Backport93 - Backport #9193] " usa (Usaku NAKAMURA)
@ 2013-12-22 5:10 ` usa (Usaku NAKAMURA)
3 siblings, 0 replies; 5+ messages in thread
From: usa (Usaku NAKAMURA) @ 2013-12-22 5:10 UTC (permalink / raw
To: ruby-core
Issue #9193 has been updated by usa (Usaku NAKAMURA).
Status changed from Assigned to Closed
----------------------------------------
Backport #9193: ruby 1.9.3-p484 still vulnerable to CVE-2013-4287 and CVE-2013-4363 in included rubygems 1.8.23
https://bugs.ruby-lang.org/issues/9193#change-43823
Author: jeremyevans0 (Jeremy Evans)
Status: Closed
Priority: High
Assignee: usa (Usaku NAKAMURA)
Category:
Target version:
It appears that ruby 2.0.0-p353 included an update to rubygems 2.0.10 which fixes CVE-2013-4287 and CVE-2013-4363. ruby 1.9.3-p484 did not contain an update to the included rubygems, so it is still vulnerable. ruby 1.9.3 should either be updated to use rubygems 1.8.27 or 1.8.28, or the attached patch should be applied to fix the two CVEs.
--
http://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2013-12-22 5:33 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-12-02 0:02 [ruby-core:58757] [Backport93 - Backport #9193][Open] ruby 1.9.3-p484 still vulnerable to CVE-2013-4287 and CVE-2013-4363 in included rubygems 1.8.23 jeremyevans0 (Jeremy Evans)
2013-12-15 20:12 ` [ruby-core:59123] [Backport93 - Backport #9193] " drbrain (Eric Hodel)
2013-12-15 20:13 ` [ruby-core:59124] [Backport93 - Backport #9193][Assigned] " drbrain (Eric Hodel)
2013-12-22 5:10 ` [ruby-core:59264] [Backport93 - Backport #9193] " usa (Usaku NAKAMURA)
2013-12-22 5:10 ` [ruby-core:59265] [Backport93 - Backport #9193][Closed] " usa (Usaku NAKAMURA)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).