Issue #15637 has been updated by jaruga (Jun Aruga).


Hi htbt,
Thanks for fixing the vulnerability issues.
I have just a question.

In case I want to fix only CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution, applying the below commit is good enough, right?

Merge branch 'h1-328571' into master-private 
* master: https://github.com/rubygems/rubygems/commit/bcc96123e916a2b8d302dc0f350d9068bd014188
* v3.0.3: https://github.com/rubygems/rubygems/commit/1e6f6a0561a8531ab99c608655c4fb15524ceee2
* v2.7.9: https://github.com/rubygems/rubygems/commit/8e61a52f49c9530706cd73d2f1edc10f097e591f


----------------------------------------
Bug #15637: Backport RubyGems 3.0.3/2.7.9
https://bugs.ruby-lang.org/issues/15637#change-77637

* Author: hsbt (Hiroshi SHIBATA)
* Status: Closed
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 
* Backport: 2.4: DONE, 2.5: DONE, 2.6: DONE
----------------------------------------
I released RubyGems 3.0.3 and 2.7.9 today. They contain multiple vulnerability fixes.

* https://blog.rubygems.org/2019/03/05/3.0.3-released.html
* https://blog.rubygems.org/2019/03/05/2.7.9-released.html

I attached the patches for Ruby 2.4, 2.5 and 2.6.

---Files--------------------------------
ruby-2.4.5-rubygems.patch (12.4 KB)
ruby-2.5.3-rubygems.patch (12.4 KB)
ruby-2.6.1-rubygems.patch (17.6 KB)
ruby-2.4.5-rubygems-v2.patch (12.5 KB)
ruby-2.5.3-rubygems-v2.patch (12.5 KB)
ruby-2.6.1-rubygems-v2.patch (17.7 KB)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>