Backport #9193

ruby 1.9.3-p484 still vulnerable to CVE-2013-4287 and CVE-2013-4363 in included rubygems 1.8.23

Added by Jeremy Evans 5 months ago. Updated 4 months ago.

[ruby-core:58757]
Status:Closed
Priority:High
Assignee:Usaku NAKAMURA

Description

It appears that ruby 2.0.0-p353 included an update to rubygems 2.0.10 which fixes CVE-2013-4287 and CVE-2013-4363. ruby 1.9.3-p484 did not contain an update to the included rubygems, so it is still vulnerable. ruby 1.9.3 should either be updated to use rubygems 1.8.27 or 1.8.28, or the attached patch should be applied to fix the two CVEs.

rubygems.diff Magnifier (494 Bytes) Jeremy Evans, 12/02/2013 09:02 AM

ruby_1_9_3.rubygems.1.8.23.2.patch Magnifier - Complete patch with tests (2.54 KB) Eric Hodel, 12/16/2013 05:12 AM

History

#1 Updated by Eric Hodel 4 months ago

Here's the patch I sent to security@ruby-lang.org

#2 Updated by Eric Hodel 4 months ago

  • Status changed from Open to Assigned
  • Assignee set to Usaku NAKAMURA

#3 Updated by Usaku NAKAMURA 4 months ago

fixed at r44335.
Thank you for reporting and patching!

#4 Updated by Usaku NAKAMURA 4 months ago

  • Status changed from Assigned to Closed

Also available in: Atom PDF