[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2018-1000074: rubygems, jruby & ruby1.9.11

Hi Chris,

El 02/04/18 a las 08:55, Chris Lamb escribió:
> Hi Santiago,
> I just triaged rubygems & jruby for wheezy re. CVE-2018-1000074 and
> noticed that ruby1.9.1 is also vulnerable. You still have this latter
> package reserved in dla-needed.txt since March 18th.

I have been unable to confirm the versions of these packages are
affected by CVE-2018-1000074 and CVE-2018-1000079. Also, there seems
there is not upstream patch for the oldest maintained ruby, covering
those issues:
Do you have any more info how to those CVEs?

I haven't marked yet them as unaffected, just to be conservative.

> Can you let me know whether you still wish to work on this package
> or whether you would — in addition — like to take the same underlying
> issue in rubygems and jruby as well?

About ruby1.9.1, other issues have been reported meantime, and I am
waiting to fix them in the same upload.



Attachment: signature.asc
Description: PGP signature

Reply to: