[Buildroot] [PATCH] ruby: add upstream security patches bumping rubygems to 2.6.13
Peter Korsgaard
peter at korsgaard.com
Mon Oct 16 21:53:08 UTC 2017
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> We unfortunately cannot use the upstream patches directly as they are not in
> 'patch -p1' format, so convert them and include instead.
> Fixes:
> CVE-2017-0899 - RubyGems version 2.6.12 and earlier is vulnerable to
> maliciously crafted gem specifications that include terminal escape
> characters. Printing the gem specification would execute terminal escape
> sequences.
> CVE-2017-0900 - RubyGems version 2.6.12 and earlier is vulnerable to
> maliciously crafted gem specifications to cause a denial of service attack
> against RubyGems clients who have issued a `query` command.
> CVE-2017-0901 - RubyGems version 2.6.12 and earlier fails to validate
> specification names, allowing a maliciously crafted gem to potentially
> overwrite any file on the filesystem.
> CVE-2017-0902 - RubyGems version 2.6.12 and earlier is vulnerable to a DNS
> hijacking vulnerability that allows a MITM attacker to force the RubyGems
> client to download and install gems from a server that the attacker
> controls.
> For more details, see
> https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Committed to 2017.08.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list