From: jaruga@... Date: 2019-04-15T13:33:56+00:00 Subject: [ruby-core:92296] [Ruby trunk Bug#15637] Backport RubyGems 3.0.3/2.7.9 Issue #15637 has been updated by jaruga (Jun Aruga). Hi htbt, Thanks for fixing the vulnerability issues. I have just a question. In case I want to fix only CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution, applying the below commit is good enough, right? Merge branch 'h1-328571' into master-private * master: https://github.com/rubygems/rubygems/commit/bcc96123e916a2b8d302dc0f350d9068bd014188 * v3.0.3: https://github.com/rubygems/rubygems/commit/1e6f6a0561a8531ab99c608655c4fb15524ceee2 * v2.7.9: https://github.com/rubygems/rubygems/commit/8e61a52f49c9530706cd73d2f1edc10f097e591f ---------------------------------------- Bug #15637: Backport RubyGems 3.0.3/2.7.9 https://bugs.ruby-lang.org/issues/15637#change-77637 * Author: hsbt (Hiroshi SHIBATA) * Status: Closed * Priority: Normal * Assignee: * Target version: * ruby -v: * Backport: 2.4: DONE, 2.5: DONE, 2.6: DONE ---------------------------------------- I released RubyGems 3.0.3 and 2.7.9 today. They contain multiple vulnerability fixes. * https://blog.rubygems.org/2019/03/05/3.0.3-released.html * https://blog.rubygems.org/2019/03/05/2.7.9-released.html I attached the patches for Ruby 2.4, 2.5 and 2.6. ---Files-------------------------------- ruby-2.4.5-rubygems.patch (12.4 KB) ruby-2.5.3-rubygems.patch (12.4 KB) ruby-2.6.1-rubygems.patch (17.6 KB) ruby-2.4.5-rubygems-v2.patch (12.5 KB) ruby-2.5.3-rubygems-v2.patch (12.5 KB) ruby-2.6.1-rubygems-v2.patch (17.7 KB) -- https://bugs.ruby-lang.org/ Unsubscribe: