Differential D1173

Update ruby to 2.3.5 to address multiple CVE's:
ClosedPublic
Actions

Authored by mcritchlow on Oct 8 2017, 12:46 AM.

Tags

None

Referenced Files

	F11021758: D1173.diff
	Mon, Aug 7, 5:17 PM

	F10985607: D1173.id2867.diff
	Sun, Jul 23, 10:09 PM

	F10894264: D1173.diff
	Jul 1 2023, 9:35 AM

	F10840097: D1173.id2847.diff
	Jun 10 2023, 12:00 AM

	F10839199: D1173.id2867.diff
	Jun 9 2023, 7:43 PM

	F10834650: D1173.id.diff
	Jun 7 2023, 2:15 PM

	F10833561: D1173.diff
	Jun 6 2023, 11:43 PM

	F10740067: D1173.diff
	May 14 2023, 12:17 AM

Subscribers

None

Details

Reviewers

Group Reviewers

Commits

R2832:cf2d3013f5cb: Update ruby to 2.3.5 to address multiple CVE's:

Summary

CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf
CVE-2017-0899: ANSI escape sequence vulnerability
CVE-2017-0900: DoS vulnerability in the query command
CVE-2017-0901: a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files
CVE-2017-0902: DNS request hijacking vulnerability
CVE-2017-10784: Escape sequence injection vulnerability in the Basic authentication of WEBrick
CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode
CVE-2017-14064: Heap exposure vulnerability in generating JSON

Notes:
Installed patch to ensure we don't lose linking against libgmp via https://bugs.ruby-lang.org/issues/13899
This should, ideally, not be necessary and removed in the next upgrade.

Test Plan

Installed locally and fired up an IRB session
Did a make of bundler, everything seemed fine

Diff Detail

Repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

mcritchlow created this revision.Oct 8 2017, 12:46 AM

Herald added a reviewer: Triage Team. · View Herald TranscriptOct 8 2017, 12:46 AM

• sunnyflunk retitled this revision from update ruby to 2.3.5 to Update ruby to 2.3.5 to address multiple CVE's:.Oct 8 2017, 7:44 AM

• sunnyflunk edited the summary of this revision. (Show Details)

• sunnyflunk accepted this revision.Oct 8 2017, 7:47 AM

This revision is now accepted and ready to land.Oct 8 2017, 7:47 AM

kyrios123 mentioned this in T2160: Update ruby to 2.4.0.Oct 8 2017, 8:12 AM

Closed by commit R2832:cf2d3013f5cb: Update ruby to 2.3.5 to address multiple CVE's: (authored by mcritchlow, committed by • sunnyflunk). · Explain WhyOct 9 2017, 3:01 AM

This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

Path

Size

1 line

files/

configure-2.3.5.diff

40 lines

7 lines

pspec_x86_64.xml

57 lines

Diff 2867

abi_symbols

Loading...

files/configure-2.3.5.diff

Loading...

package.yml

Loading...

pspec_x86_64.xml

Loading...