[Git][security-tracker-team/security-tracker][master] src:rubygems has been re-introduced into the archive
Salvatore Bonaccorso
carnil at debian.org
Mon Oct 19 05:49:23 BST 2020
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
252f0e58 by Salvatore Bonaccorso at 2020-10-19T06:47:18+02:00
src:rubygems has been re-introduced into the archive
The initial upload states:
- Upstream bundler source code is now hosted in the same git repository as
rubygems, due to that this new source package is introduced and it will
provide the binaries previously provided by src:bundler (ruby-bundler
and bundler). src:bundler will be removed after src:rubygems is accepted.
We need to recheck if any of this previously unfixed issues are still
unfixed or now adressed with this initial first re-upload.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -100054,7 +100054,7 @@ CVE-2019-8325 (An issue was discovered in RubyGems 2.6 and later through 3.0.2.
- ruby2.5 2.5.5-1
- ruby2.3 <removed>
- ruby2.1 <removed>
- - rubygems <removed>
+ - rubygems <unfixed>
- jruby 9.1.17.0-3 (bug #925987)
NOTE: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
NOTE: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
@@ -100064,7 +100064,7 @@ CVE-2019-8324 (An issue was discovered in RubyGems 2.6 and later through 3.0.2.
- ruby2.5 2.5.5-1
- ruby2.3 <removed>
- ruby2.1 <removed>
- - rubygems <removed>
+ - rubygems <unfixed>
- jruby 9.1.17.0-3 (bug #925987)
NOTE: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
NOTE: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
@@ -100074,7 +100074,7 @@ CVE-2019-8323 (An issue was discovered in RubyGems 2.6 and later through 3.0.2.
- ruby2.5 2.5.5-1
- ruby2.3 <removed>
- ruby2.1 <removed>
- - rubygems <removed>
+ - rubygems <unfixed>
- jruby 9.1.17.0-3 (bug #925987)
NOTE: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
NOTE: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
@@ -100084,7 +100084,7 @@ CVE-2019-8322 (An issue was discovered in RubyGems 2.6 and later through 3.0.2.
- ruby2.5 2.5.5-1
- ruby2.3 <removed>
- ruby2.1 <removed>
- - rubygems <removed>
+ - rubygems <unfixed>
- jruby 9.1.17.0-3 (bug #925987)
NOTE: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
NOTE: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
@@ -100095,7 +100095,7 @@ CVE-2019-8321 (An issue was discovered in RubyGems 2.6 and later through 3.0.2.
- ruby2.3 <removed>
- ruby2.1 <removed>
[jessie] - ruby2.1 <not-affected> (Vulnerable code introduced later)
- - rubygems <removed>
+ - rubygems <unfixed>
- jruby 9.1.17.0-3 (bug #925987)
NOTE: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
NOTE: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
@@ -100105,7 +100105,7 @@ CVE-2019-8320 (A Directory Traversal issue was discovered in RubyGems 2.7.6 and
- ruby2.5 2.5.5-1
- ruby2.3 <removed>
- ruby2.1 <removed>
- - rubygems <removed>
+ - rubygems <unfixed>
- jruby 9.1.17.0-3 (bug #925987)
[jessie] - jruby <not-affected> (Vulnerable code introduced later)
NOTE: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
@@ -155706,7 +155706,7 @@ CVE-2018-1000079 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3
- ruby2.1 <removed>
- ruby1.9.1 <removed>
[wheezy] - ruby1.9.1 <no-dsa> (Minor issue, too intrusive to backport)
- - rubygems <removed>
+ - rubygems <unfixed>
[wheezy] - rubygems <not-affected> (Vulnerable code not present)
- jruby 9.1.17.0-1 (bug #895778)
[jessie] - jruby <not-affected> (Vulnerable code not present)
@@ -155720,7 +155720,7 @@ CVE-2018-1000078 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3
- ruby2.3 <removed>
- ruby2.1 <removed>
- ruby1.9.1 <removed>
- - rubygems <removed>
+ - rubygems <unfixed>
- jruby 9.1.17.0-1 (bug #895778)
NOTE: https://github.com/rubygems/rubygems/commit/66a28b9275551384fdab45f3591a82d6b59952cb
NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/
@@ -155730,7 +155730,7 @@ CVE-2018-1000077 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3
- ruby2.3 <removed>
- ruby2.1 <removed>
- ruby1.9.1 <removed>
- - rubygems <removed>
+ - rubygems <unfixed>
- jruby 9.1.17.0-1 (bug #895778)
NOTE: https://github.com/rubygems/rubygems/commit/feadefc2d351dcb95d6492f5ad17ebca546eb964
NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/
@@ -155740,7 +155740,7 @@ CVE-2018-1000076 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3
- ruby2.3 <removed>
- ruby2.1 <removed>
- ruby1.9.1 <removed>
- - rubygems <removed>
+ - rubygems <unfixed>
- jruby 9.1.17.0-1 (bug #895778)
NOTE: https://github.com/rubygems/rubygems/commit/f5042b879259b1f1ce95a0c5082622c646376693
NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/
@@ -155750,7 +155750,7 @@ CVE-2018-1000075 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3
- ruby2.3 <removed>
- ruby2.1 <removed>
- ruby1.9.1 <removed>
- - rubygems <removed>
+ - rubygems <unfixed>
- jruby 9.1.17.0-1 (bug #895778)
NOTE: https://github.com/rubygems/rubygems/commit/92e98bf8f810bd812f919120d4832df51bc25d83
NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/
@@ -155761,7 +155761,7 @@ CVE-2018-1000074 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3
- ruby2.1 <removed>
- ruby1.9.1 <removed>
[wheezy] - ruby1.9.1 <no-dsa> (Minor issue, too intrusive to backport)
- - rubygems <removed>
+ - rubygems <unfixed>
[wheezy] - rubygems <no-dsa> (Minor issue)
- jruby 9.1.17.0-1 (bug #895778)
NOTE: https://github.com/rubygems/rubygems/commit/254e3d0ee873c008c0b74e8b8abcbdab4caa0a6d
@@ -155773,7 +155773,7 @@ CVE-2018-1000073 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3
- ruby2.1 <removed>
- ruby1.9.1 <removed>
[wheezy] - ruby1.9.1 <not-affected> (Vulnerable code not present)
- - rubygems <removed>
+ - rubygems <unfixed>
[wheezy] - rubygems <not-affected> (Vulnerable code not present)
- jruby 9.1.17.0-2.1 (bug #895778; bug #925986)
[jessie] - jruby <not-affected> (Vulnerable code not present)
@@ -225711,7 +225711,7 @@ CVE-2017-0903 (RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a po
- ruby2.1 <removed>
- ruby1.9.1 <removed>
[wheezy] - ruby1.9.1 <not-affected> (Vulnerable code introduced later)
- - rubygems <removed>
+ - rubygems <unfixed>
[wheezy] - rubygems <not-affected> (Vulnerable code introduced later)
NOTE: https://www.openwall.com/lists/oss-security/2017/10/10/2
NOTE: https://justi.cz/security/2017/10/07/rubygems-org-rce.html
@@ -225722,7 +225722,7 @@ CVE-2017-0902 (RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijack
- ruby2.1 <removed>
- ruby1.9.1 <removed>
[wheezy] - ruby1.9.1 <not-affected> (Vulnerable code introduced later)
- - rubygems <removed>
+ - rubygems <unfixed>
[wheezy] - rubygems <not-affected> (Vulnerable code introduced later)
NOTE: https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/
NOTE: http://blog.rubygems.org/2017/08/27/2.6.13-released.html
@@ -225733,7 +225733,7 @@ CVE-2017-0901 (RubyGems version 2.6.12 and earlier fails to validate specificati
- ruby2.3 2.3.3-1+deb9u1 (bug #873802)
- ruby2.1 <removed>
- ruby1.9.1 <removed>
- - rubygems <removed>
+ - rubygems <unfixed>
NOTE: https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/
NOTE: http://blog.rubygems.org/2017/08/27/2.6.13-released.html
NOTE: For Ruby 2.3.4: https://bugs.ruby-lang.org/attachments/download/6691/rubygems-2613-ruby23.patch
@@ -225743,7 +225743,7 @@ CVE-2017-0900 (RubyGems version 2.6.12 and earlier is vulnerable to maliciously
- ruby2.3 2.3.3-1+deb9u1 (bug #873802)
- ruby2.1 <removed>
- ruby1.9.1 <removed>
- - rubygems <removed>
+ - rubygems <unfixed>
NOTE: https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/
NOTE: http://blog.rubygems.org/2017/08/27/2.6.13-released.html
NOTE: For Ruby 2.3.4: https://bugs.ruby-lang.org/attachments/download/6691/rubygems-2613-ruby23.patch
@@ -225753,7 +225753,7 @@ CVE-2017-0899 (RubyGems version 2.6.12 and earlier is vulnerable to maliciously
- ruby2.3 2.3.3-1+deb9u1 (unimportant; bug #873802)
- ruby2.1 <removed> (unimportant)
- ruby1.9.1 <removed> (unimportant)
- - rubygems <removed> (unimportant)
+ - rubygems <unfixed> (unimportant)
NOTE: https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/
NOTE: http://blog.rubygems.org/2017/08/27/2.6.13-released.html
NOTE: For Ruby 2.3.4: https://bugs.ruby-lang.org/attachments/download/6691/rubygems-2613-ruby23.patch
@@ -317098,7 +317098,7 @@ CVE-2013-4365 (Heap-based buffer overflow in the fcgid_header_bucket_read functi
CVE-2013-4364 ((1) oo-analytics-export and (2) oo-analytics-import in the openshift-o ...)
NOT-FOR-US: OpenShift
CVE-2013-4363 (Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION ...)
- - rubygems <removed> (unimportant; bug #722361)
+ - rubygems <unfixed> (unimportant; bug #722361)
- libgems-ruby <removed> (unimportant; bug #722361)
NOTE: Non-issue, you trust the site providing the gem with installing arbitrary code, allowing
NOTE: it a potential elevated CPU consumption doesn't add any extra harm
@@ -317392,7 +317392,7 @@ CVE-2013-4288 (Race condition in PolicyKit (aka polkit) allows local users to by
[squeeze] - policykit-1 <no-dsa> (The update only deprecates an API and introduces a new option for pkcheck, no src package uses this API)
[wheezy] - policykit-1 <no-dsa> (The update only deprecates an API and introduces a new option for pkcheck, no src package uses this API)
CVE-2013-4287 (Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN ...)
- - rubygems <removed> (unimportant; bug #722361)
+ - rubygems <unfixed> (unimportant; bug #722361)
- libgems-ruby <removed> (unimportant; bug #722361)
NOTE: Non-issue, you trust the site providing the gem with installing arbitrary code, allowing
NOTE: it a potential elevated CPU consumption doesn't add any extra harm
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/252f0e584b28ffe8c60d54418cddd905bdafdeaa
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/252f0e584b28ffe8c60d54418cddd905bdafdeaa
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201019/bb49c070/attachment.html>
More information about the debian-security-tracker-commits
mailing list