[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2018-1000074: rubygems, jruby & ruby1.9.11

El 02/04/18 a las 10:13, Chris Lamb escribió:
> Hi Santiago,
> > I have been unable to confirm the versions of these packages are
> > affected by CVE-2018-1000074 and CVE-2018-1000079
> re. CVE-2018-1000074, it seems fairly clear. For example, here is jruby's
> lib/ruby/site_ruby/1.8/rubygems/commands/owner_command.rb:
>  45     with_response response do |resp|
>  46       owners = YAML.load resp.body
> (The others are similar, if not identical.)

Yes. Sorry, I was unclear. I meant I have been unable to confirm it
through a PoC. The code seems to be affected.
However, I am not sure this issue warrants a DLA (neither a DSA?).
upstream didn't backported the patch for ruby2.2, and backporting to 1.8
and 1.9.1 is quite intrusive, from my point of view.
Security team, what's your position about CVE-2018-1000074 for stable?

> > > Can you let me know whether you still wish to work on this package
> > > or whether you would — in addition — like to take the same underlying
> > > issue in rubygems and jruby as well?
> > 
> > About ruby1.9.1, other issues have been reported meantime, and I am
> > waiting to fix them in the same upload.
> Sorry, I should have been clearer; given that that issues overlap to
> some degree I think it would be best if one person took them all. Are
> you happy to reserve the other packages in dla-needed.txt? :)

I'd suggest to wait for the security team's opinion about the issue.

Attachment: signature.asc
Description: PGP signature

Reply to: