Project

General

Profile

Actions
Copy link

Backport #9193

closed

ruby 1.9.3-p484 still vulnerable to CVE-2013-4287 and CVE-2013-4363 in included rubygems 1.8.23

Added by jeremyevans0 (Jeremy Evans) over 9 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
usa (Usaku NAKAMURA)
[ruby-core:58757]

Description

It appears that ruby 2.0.0-p353 included an update to rubygems 2.0.10 which fixes CVE-2013-4287 and CVE-2013-4363. ruby 1.9.3-p484 did not contain an update to the included rubygems, so it is still vulnerable. ruby 1.9.3 should either be updated to use rubygems 1.8.27 or 1.8.28, or the attached patch should be applied to fix the two CVEs.

Files

Download all files
rubygems.diff (494 Bytes) rubygems.diff jeremyevans0 (Jeremy Evans), 12/02/2013 09:02 AM
ruby_1_9_3.rubygems.1.8.23.2.patch (2.54 KB) ruby_1_9_3.rubygems.1.8.23.2.patch Complete patch with tests drbrain (Eric Hodel), 12/16/2013 05:12 AM
Actions
Copy link
 #2 [ruby-core:59124]

Updated by drbrain (Eric Hodel) over 9 years ago

  • Status changed from Open to Assigned
  • Assignee set to usa (Usaku NAKAMURA)
Actions
Copy link
 #3 [ruby-core:59264]

Updated by usa (Usaku NAKAMURA) over 9 years ago

fixed at r44335.
Thank you for reporting and patching!

Actions
Copy link
 #4 [ruby-core:59265]

Updated by usa (Usaku NAKAMURA) over 9 years ago

  • Status changed from Assigned to Closed
Actions
Copy link

Also available in: Atom PDF

Like0
Like0Like0Like0Like0