[DRE-maint] Bug#842504: CVE-2016-7954: code execution via gem name collission in bundler
Salvatore Bonaccorso
carnil at debian.org
Sat Oct 29 19:27:25 UTC 2016
Package: bundler
Version: 1.7.4-1
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for bundler.
CVE-2016-7954[0]:
code execution via gem name collission in bundler
Please correct me if I'm wrong. As far I understand, this issue cannot
be fixed within the 1.x series due to lockfile format. This bug is to
continue tracking the CVE in the Debian BTS.
We have marked the issue as no-dsa already for jessie.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-7954
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list