Re: CVE-2018-1000074: rubygems, jruby & ruby1.9.11
Hi Santiago,
> I have been unable to confirm the versions of these packages are
> affected by CVE-2018-1000074 and CVE-2018-1000079
re. CVE-2018-1000074, it seems fairly clear. For example, here is jruby's
lib/ruby/site_ruby/1.8/rubygems/commands/owner_command.rb:
45 with_response response do |resp|
46 owners = YAML.load resp.body
(The others are similar, if not identical.)
> > Can you let me know whether you still wish to work on this package
> > or whether you would — in addition — like to take the same underlying
> > issue in rubygems and jruby as well?
>
> About ruby1.9.1, other issues have been reported meantime, and I am
> waiting to fix them in the same upload.
Sorry, I should have been clearer; given that that issues overlap to
some degree I think it would be best if one person took them all. Are
you happy to reserve the other packages in dla-needed.txt? :)
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Reply to: