[Secure-testing-commits] r38377 - data/CVE

Salvatore Bonaccorso carnil at moszumanska.debian.org
Wed Dec 16 23:18:52 UTC 2015


Author: carnil
Date: 2015-12-16 23:18:52 +0000 (Wed, 16 Dec 2015)
New Revision: 38377

Modified:
   data/CVE/list
Log:
Add CVE-2015-7551/ruby2.2

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2015-12-16 22:34:54 UTC (rev 38376)
+++ data/CVE/list	2015-12-16 23:18:52 UTC (rev 38377)
@@ -4374,6 +4374,9 @@
 	RESERVED
 CVE-2015-7551
 	RESERVED
+	- ruby2.2 <unfixed> (bug #796551)
+	NOTE: https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/
+	TODO: check correctness for CVE-2009-5147/CVE-2015-7551 record since affects multiple ruby versions
 CVE-2015-7550
 	RESERVED
 CVE-2015-7549 [pci: msi-x: null pointer dereference issue]
@@ -19322,7 +19325,7 @@
 	- ruby2.0 <removed>
 	- ruby2.1 <unfixed> (bug #796344)
 	[jessie] - ruby2.1 <no-dsa> (Minor issue)
-	- ruby2.2 <unfixed> (bug #796551)
+	- ruby2.2 <not-affected> (Does not contain DL, cf note and corresponding CVE-2015-7551)
 	NOTE: https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215b
 	NOTE: Although the is upstream commit mentioned, the corresponding change does not
 	NOTE: seem to be contained in e.g. latest 1.9.1 and 2.1. E.g.




More information about the Secure-testing-commits mailing list