Page MenuHomeSolus

Update ruby to 2.3.5 to address multiple CVE's:

Authored by mcritchlow on Oct 8 2017, 12:46 AM.



Full Changelog

CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf
CVE-2017-0899: ANSI escape sequence vulnerability
CVE-2017-0900: DoS vulnerability in the query command
CVE-2017-0901: a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files
CVE-2017-0902: DNS request hijacking vulnerability
CVE-2017-10784: Escape sequence injection vulnerability in the Basic authentication of WEBrick
CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode
CVE-2017-14064: Heap exposure vulnerability in generating JSON

Installed patch to ensure we don't lose linking against libgmp via
This should, ideally, not be necessary and removed in the next upgrade.

Test Plan

Installed locally and fired up an IRB session
Did a make of bundler, everything seemed fine

Diff Detail

R2832 ruby
Automatic diff as part of commit; lint not applicable.
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

mcritchlow created this revision.Oct 8 2017, 12:46 AM
sunnyflunk retitled this revision from update ruby to 2.3.5 to Update ruby to 2.3.5 to address multiple CVE's:.Oct 8 2017, 7:44 AM
sunnyflunk edited the summary of this revision. (Show Details)
sunnyflunk accepted this revision.Oct 8 2017, 7:47 AM
This revision is now accepted and ready to land.Oct 8 2017, 7:47 AM
This revision was automatically updated to reflect the committed changes.