[Secure-testing-commits] r48221 - data/CVE
Salvatore Bonaccorso
carnil at moszumanska.debian.org
Fri Jan 20 10:16:08 UTC 2017
Author: carnil
Date: 2017-01-20 10:16:08 +0000 (Fri, 20 Jan 2017)
New Revision: 48221
Modified:
data/CVE/list
Log:
Mark CVE-2016-2337 as no-dsa
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-01-20 09:58:39 UTC (rev 48220)
+++ data/CVE/list 2017-01-20 10:16:08 UTC (rev 48221)
@@ -36635,9 +36635,9 @@
CVE-2016-2337 (Type confusion exists in _cancel_eval Ruby's TclTkIp class method. ...)
- ruby2.3 2.3.0-1
- ruby2.1 <removed> (bug #851161)
+ [jessie] - ruby2.1 <no-dsa> (Minor problem, only exploitable when used with Tcl/Tk8.6 and later)
NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0031/
NOTE: https://github.com/ruby/ruby/commit/a2b8925a94a672235ca6a16e584bf09026a957ab
- TODO: check, might not be exploitable in jessie with ruby2.1, since requires cancel_eval which is supported in Tcl/Tk8.6 or later.
CVE-2016-2336 (Type confusion exists in two methods of Ruby's WIN32OLE class, ...)
- ruby2.3 <unfixed> (unimportant)
- ruby2.1 <removed> (unimportant)
More information about the Secure-testing-commits
mailing list