Bug 200264 - [PATCH] devel/ruby-gems: update to 2.4.7
Summary: [PATCH] devel/ruby-gems: update to 2.4.7
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Michael Moll
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2015-05-17 11:36 UTC by Santiago Pastorino
Modified: 2015-08-04 00:04 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (ruby)

Attachments
RG 2.4.7 update patch (794 bytes, patch)
2015-05-17 11:36 UTC, Santiago Pastorino 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Santiago Pastorino 2015-05-17 11:36:20 UTC 
Created attachment 156851 [details]
RG 2.4.7 update patch

Patch to update to the latest Rubygems version. It has an important security fix more info http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html
Comment 1 Michael Moll freebsd_committer freebsd_triage 2015-05-17 14:16:51 UTC 
take
Comment 2 commit-hook freebsd_committer freebsd_triage 2015-05-17 15:48:17 UTC 
A commit references this bug:

Author: mmoll
Date: Sun May 17 15:48:14 UTC 2015
New revision: 386625
URL: https://svnweb.freebsd.org/changeset/ports/386625

Log:
  security/vuxml: Add CVE-2015-3900 entry for devel/ruby-gems

  PR:		200264
  Differential Revision:	https://reviews.freebsd.org/D2572
  Approved by:	mat (mentor)
  Security:	CVE-2015-3900

Changes:
  head/security/vuxml/vuln.xml
Comment 3 commit-hook freebsd_committer freebsd_triage 2015-05-17 15:49:18 UTC 
A commit references this bug:

Author: mmoll
Date: Sun May 17 15:49:16 UTC 2015
New revision: 386626
URL: https://svnweb.freebsd.org/changeset/ports/386626

Log:
  devel/ruby-gems: update to 2.4.7

  PR:		200264
  Differential Revision:	https://reviews.freebsd.org/D2572
  Submitted by:	Santiago Pastorino <spastorino@gmail.com>
  Approved by:	mat (mentor)
  Security:	CVE-2015-3900

Changes:
  head/devel/ruby-gems/Makefile
  head/devel/ruby-gems/distinfo
Comment 4 Michael Moll freebsd_committer freebsd_triage 2015-05-17 15:51:02 UTC 
committed, thanks!
Comment 5 commit-hook freebsd_committer freebsd_triage 2015-05-18 18:44:36 UTC 
A commit references this bug:

Author: mmoll
Date: Mon May 18 18:44:29 UTC 2015
New revision: 386699
URL: https://svnweb.freebsd.org/changeset/ports/386699

Log:
  MFH: r386626

  devel/ruby-gems: update to 2.4.7

  PR:		200264
  Differential Revision:	https://reviews.freebsd.org/D2572
  Submitted by:	Santiago Pastorino <spastorino@gmail.com>
  Approved by:	mat (mentor)
  Security:	CVE-2015-3900

  Approved by:	ports-secteam (delphij)

Changes:
_U  branches/2015Q2/
  branches/2015Q2/devel/ruby-gems/Makefile
  branches/2015Q2/devel/ruby-gems/distinfo
Comment 6 Thomas Hurst 2015-05-20 05:14:35 UTC 
Fix for this is incomplete: https://github.com/rubygems/rubygems/commit/5c7bfb5c05202b4db971dd672d88a42298a0d84e
Comment 7 Jason Unovitch freebsd_committer freebsd_triage 2015-08-04 00:04:15 UTC 
(In reply to Thomas Hurst from comment #6)

I opened https://github.com/rubygems/rubygems/issues/1325 upstream since their Github still reflects 2.4.7 as fixing CVE-2015-3900.  

Based on http://blog.rubygems.org/2015/06/08/2.4.8-released.html they mention "Tightened API endpoint checks for CVE-2015-3900" but I'm trying to understand the logic behind why they didn't update their advisory before I try to change it.