Page MenuHomeSolus

Update ruby to 2.3.5 to address multiple CVE's:
ClosedPublic

Authored by mcritchlow on Oct 8 2017, 12:46 AM.

Details

Summary

Full Changelog

CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf
CVE-2017-0899: ANSI escape sequence vulnerability
CVE-2017-0900: DoS vulnerability in the query command
CVE-2017-0901: a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files
CVE-2017-0902: DNS request hijacking vulnerability
CVE-2017-10784: Escape sequence injection vulnerability in the Basic authentication of WEBrick
CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode
CVE-2017-14064: Heap exposure vulnerability in generating JSON

Notes:
Installed patch to ensure we don't lose linking against libgmp via https://bugs.ruby-lang.org/issues/13899
This should, ideally, not be necessary and removed in the next upgrade.

Test Plan

Installed locally and fired up an IRB session
Did a make of bundler, everything seemed fine

Diff Detail

Repository
R2832 ruby
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

mcritchlow created this revision.Oct 8 2017, 12:46 AM
sunnyflunk retitled this revision from update ruby to 2.3.5 to Update ruby to 2.3.5 to address multiple CVE's:.Oct 8 2017, 7:44 AM
sunnyflunk edited the summary of this revision. (Show Details)
sunnyflunk accepted this revision.Oct 8 2017, 7:47 AM
This revision is now accepted and ready to land.Oct 8 2017, 7:47 AM
This revision was automatically updated to reflect the committed changes.