[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2018-1000074: rubygems, jruby & ruby1.9.11

Hi Santiago,

> I have been unable to confirm the versions of these packages are
> affected by CVE-2018-1000074 and CVE-2018-1000079

re. CVE-2018-1000074, it seems fairly clear. For example, here is jruby's
lib/ruby/site_ruby/1.8/rubygems/commands/owner_command.rb:

 45     with_response response do |resp|
 46       owners = YAML.load resp.body

(The others are similar, if not identical.)

> > Can you let me know whether you still wish to work on this package
> > or whether you would — in addition — like to take the same underlying
> > issue in rubygems and jruby as well?
> 
> About ruby1.9.1, other issues have been reported meantime, and I am
> waiting to fix them in the same upload.

Sorry, I should have been clearer; given that that issues overlap to
some degree I think it would be best if one person took them all. Are
you happy to reserve the other packages in dla-needed.txt? :)


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-
Reply to: