[Git][security-tracker-team/security-tracker][master] Conclusion for jessie regarding CVE-2020-10663. The package ruby-json should...

Ola Lundqvist opal at debian.org
Mon Apr 27 21:22:17 BST 2020 


Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker


Commits:
dd0cff64 by Ola Lundqvist at 2020-04-27T22:22:05+02:00
Conclusion for jessie regarding CVE-2020-10663. The package ruby-json should be fixed since the code is clearly vulnerable and it looks like a rather serious problem. Ruby version 2.1 is not vulnerable since it does not have this piece of code. Marked this without any jessis specific tag since 2.1 is only in jessie and therefore does not affect any other release.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -5091,7 +5091,7 @@ CVE-2020-10663 [Unsafe Object Creation Vulnerability in JSON (Additional fix to
 	- ruby2.7 <not-affected> (Fixed before initial upload to Debian)
 	- ruby2.5 <unfixed>
 	- ruby2.3 <removed>
-	- ruby2.1 <removed>
+	- ruby2.1 <not-affected> (Vulnerable source not in this source package)
 	NOTE: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
 	NOTE: https://hackerone.com/reports/706934
 	NOTE: https://github.com/ruby/ruby/commit/36e9ed7fef6eb2d14becf6c52452e4ab16e4bf01 (2.6.6)


=====================================
data/dla-needed.txt
=====================================
@@ -86,6 +86,8 @@ php5 (Thorsten Alteholz)
 --
 qemu (Adrian Bunk)
 --
+ruby-json
+--
 ruby-rack
   NOTE: 20191219: The security update causes a regression and also, there's a
   NOTE: slight possibility of this patch inducing a backdoor on its own. (utkarsh2102)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd0cff642a311169a1dc77a777801699939c4e6d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd0cff642a311169a1dc77a777801699939c4e6d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200427/f0801c9a/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list