Issue #16698 has been reported by jeremyevans0 (Jeremy Evans).

----------------------------------------
Bug #16698: Backport security fix for CVE-2020-10663
https://bugs.ruby-lang.org/issues/16698

* Author: jeremyevans0 (Jeremy Evans)
* Status: Closed
* Priority: Normal
* Backport: 2.4: REQUIRED, 2.5: REQUIRED, 2.6: REQUIRED, 2.7: DONTNEED
----------------------------------------
As announced at https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/, you can upgrade the JSON gem to 2.3.0 to work around the security issue.  However, that brings in new features and not just the security fix.  The security issue itself is easy to fix in older ruby versions, and I think the next releases of Ruby 2.4, 2.5, and 2.6 should contain just this security fix without a JSON version upgrade.  I'm not sure if we plan a security release of Ruby 2.4 before it goes fully out of support, but I think we should have one.

Attached is a patch for ruby 2.6.  It applies cleanly to ruby 2.4 and 2.5 (with some offsets).



---Files--------------------------------
ruby-2-6-json-cve-2020-10663.patch (1.05 KB)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>