[DRE-maint] Bug#842504: CVE-2016-7954: code execution via gem name collission in bundler
Moritz Mühlenhoff
jmm at inutil.org
Thu Jan 31 23:15:43 GMT 2019
On Sat, Oct 29, 2016 at 09:27:25PM +0200, Salvatore Bonaccorso wrote:
> Package: bundler
> Version: 1.7.4-1
> Severity: important
> Tags: security upstream
>
> Hi,
>
> the following vulnerability was published for bundler.
>
> CVE-2016-7954[0]:
> code execution via gem name collission in bundler
>
> Please correct me if I'm wrong. As far I understand, this issue cannot
> be fixed within the 1.x series due to lockfile format. This bug is to
> continue tracking the CVE in the Debian BTS.
JFTR; Bundler 2 was relased in early January.
Cheers,
Moritz
More information about the Pkg-ruby-extras-maintainers
mailing list