[Secure-testing-commits] r38377 - data/CVE
Salvatore Bonaccorso
carnil at moszumanska.debian.org
Wed Dec 16 23:18:52 UTC 2015
Author: carnil
Date: 2015-12-16 23:18:52 +0000 (Wed, 16 Dec 2015)
New Revision: 38377
Modified:
data/CVE/list
Log:
Add CVE-2015-7551/ruby2.2
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2015-12-16 22:34:54 UTC (rev 38376)
+++ data/CVE/list 2015-12-16 23:18:52 UTC (rev 38377)
@@ -4374,6 +4374,9 @@
RESERVED
CVE-2015-7551
RESERVED
+ - ruby2.2 <unfixed> (bug #796551)
+ NOTE: https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/
+ TODO: check correctness for CVE-2009-5147/CVE-2015-7551 record since affects multiple ruby versions
CVE-2015-7550
RESERVED
CVE-2015-7549 [pci: msi-x: null pointer dereference issue]
@@ -19322,7 +19325,7 @@
- ruby2.0 <removed>
- ruby2.1 <unfixed> (bug #796344)
[jessie] - ruby2.1 <no-dsa> (Minor issue)
- - ruby2.2 <unfixed> (bug #796551)
+ - ruby2.2 <not-affected> (Does not contain DL, cf note and corresponding CVE-2015-7551)
NOTE: https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215b
NOTE: Although the is upstream commit mentioned, the corresponding change does not
NOTE: seem to be contained in e.g. latest 1.9.1 and 2.1. E.g.
More information about the Secure-testing-commits
mailing list