[DRE-maint] CVE-2019-5477: ruby-nokogiri issue caused by rexical
mike.gabriel at das-netzwerkteam.de
mike.gabriel at das-netzwerkteam.de
Fri Aug 30 21:22:22 BST 2019
Hi,
Am Freitag, 30. August 2019 schrieb Salvatore Bonaccorso:
> hi Mike,
>
> On Fri, Aug 30, 2019 at 03:22:23PM +0200, Salvatore Bonaccorso wrote:
> > Hi Mike,
> >
> > On Fri, Aug 30, 2019 at 11:25:16AM +0000, Mike Gabriel wrote:
> > > However, to address CVE-2019-5477 it should also be associated to the
> > > rexical src:pkg in stretch and later. @security-team: can you please update
> > > data/CVE/list appropriately (instead of me updating it and you correcting my
> > > change)? Thanks!
> >
> > The CVE is very specific assigned for Nokogiri itself (Nokogiri does
> > not regnerate the code with rexical AFAICS, but will double check
> > again). Thus not updating it for now, but I have a pending request to
> > MITRE to clarify the scope of the CVE.
>
> MITRE confirmed the scope can be covered by the change in rexical as
> well considering it a vulnerability in that source as well.
>
> Thus following that, I added it now.
>
> Regards,
> Salvatore
>
Thanks for handling this and updating the tracker.
Mike
--
Gesendet von meinem Fairphone2 (powered by Sailfish OS).
More information about the Pkg-ruby-extras-maintainers
mailing list