Bug #14481
closedBackport request for RubyGems 2.7.6
Description
RubyGems 2.7.6 has been released. It contained the several vulnerability fixes.
http://blog.rubygems.org/2018/02/15/2.7.6-released.html
I created patches for all of the active branches of Ruby.
rubygems-276-for-ruby25.patch¶
This patch for upgrading RubyGems 2.7.3 to 2.7.6 and tiny changes for test-case. So, It includes following fixes:
rubygems-276-for-ruby24.patch and rubygems-276-for-ruby23.patch¶
These patches contained RubyGems 2.7.6 security fixes and tempfile leak fixes.
rubygems-276-for-ruby22.patch¶
This patch fixed security vulnerabilities for RubyGems 2.7.6. But I removed patch for "Prevent path traversal when writing to a symlinked basedir outside of the root. Discovered by nmalkin, fixed by Jonathan Claudius and Samuel Giddins." (It was not assigned CVE number)
Because to support packaging with symlink was provided after RubyGems 2.5.
https://github.com/rubygems/rubygems/pull/1209
So, Ruby 2.2 contained RubyGems 2.4. It's affected by its vulnerability.
To nalsh, nagachika, usa
Please backport them.
Files
Updated by hsbt (Hiroshi SHIBATA) over 6 years ago
So, Ruby 2.2 contained RubyGems 2.4. It's affected by its vulnerability.
oops, "It's NOT affected" is correct status.
Updated by nagachika (Tomoyuki Chikanaga) over 6 years ago
- Status changed from Open to Closed
Applied in changeset ruby_2_4|r62434.
merge revision(s) 62422: [Backport #14481]
Merge RubyGems 2.7.6 from upstream.
It fixed some security vulnerabilities.
http://blog.rubygems.org/2018/02/15/2.7.6-released.html
Updated by nagachika (Tomoyuki Chikanaga) over 6 years ago
- Backport changed from 2.3: REQUIRED, 2.4: REQUIRED, 2.5: REQUIRED to 2.3: REQUIRED, 2.4: DONE, 2.5: REQUIRED
Updated by nagachika (Tomoyuki Chikanaga) over 6 years ago
I've found that ruby -wc test/rubygems/test_gem_server.rb report some warnings.
Due to this warnings, TEST_RIPPER_RATIO=1 make test-all TESTS=ripper/test_files.rb
failed.
The default value of TEST_RIPPER_RATIO is 0.05, so the test failure is not deterministic with plain make test-all
.
I will fix the warning in trunk and ruby_2_4 branch.
Updated by usa (Usaku NAKAMURA) over 6 years ago
- Backport changed from 2.3: REQUIRED, 2.4: DONE, 2.5: REQUIRED to 2.3: DONE, 2.4: DONE, 2.5: REQUIRED
Updated by naruse (Yui NARUSE) over 6 years ago
- Backport changed from 2.3: DONE, 2.4: DONE, 2.5: REQUIRED to 2.3: DONE, 2.4: DONE, 2.5: DONE
ruby_2_5 r62837 merged revision(s) 62244,62246,62301,62302,62303,62422,62436,62452.