CVE-2015-1820, CVE-2015-3448 https://github.com/rest-client/rest-client/issues/369 https://github.com/rest-client/rest-client/issues/349
take.
A commit references this bug: Author: mmoll Date: Sun May 31 20:58:17 UTC 2015 New revision: 388165 URL: https://svnweb.freebsd.org/changeset/ports/388165 Log: www/rubygem-rest-client: update to 1.8.0 PR: 200504 Differential Revision: https://reviews.freebsd.org/D2696 Submitted by: Sevan Janiyan <venture37@geeklan.co.uk> Approved by: swills (mentor) Security: CVE-2015-1820 Security: CVE-2015-3448 Changes: head/databases/rubygem-couchrest/Makefile head/databases/rubygem-couchrest/files/ head/databases/rubygem-couchrest/files/patch-couchrest.gemspec head/devel/rubygem-apipie-bindings/Makefile head/devel/rubygem-apipie-bindings/files/ head/devel/rubygem-apipie-bindings/files/patch-apipie-bindings.gemspec head/sysutils/rubygem-chef/Makefile head/sysutils/rubygem-chef/files/patch-chef.gemspec head/sysutils/rubygem-chef/files/patch-gemspec head/sysutils/rubygem-hammer_cli/Makefile head/sysutils/rubygem-hammer_cli/files/patch-gemspec head/sysutils/rubygem-hammer_cli/files/patch-hammer__cli.gemspec head/sysutils/rubygem-hammer_cli_foreman/Makefile head/sysutils/rubygem-hammer_cli_foreman/files/ head/sysutils/rubygem-hammer_cli_foreman/files/patch-hammer__cli__foreman.gemspec head/www/rubygem-heroku/Makefile head/www/rubygem-heroku/files/ head/www/rubygem-heroku/files/patch-heroku.gemspec head/www/rubygem-kensa/Makefile head/www/rubygem-kensa/files/ head/www/rubygem-kensa/files/patch-kensa.gemspec head/www/rubygem-rest-client/Makefile head/www/rubygem-rest-client/distinfo
(In reply to commit-hook from comment #2) Thanks! Could you please also document the issue in vuxml (feel ask ports-secteam@ if help is needed or you want us to do it for you)? Also, how big will the change be? Can it be backported to the branch (it seems like many Ruby applications does not like big version jumps)?
I have a review open for that: https://reviews.freebsd.org/D2699 - I guess it's OK for me to commit if some security person is ACKing this. Regarding to MFHing, I was somehow thinking it's already end of June and the new quarterly branch is just about due, but yeah, this needs some backporting, will cook something up.
(In reply to Michael Moll from comment #4) Yes, please go a head and commit the change with a PORTREVISION bump. Thanks a lot for working on this!
A commit references this bug: Author: mmoll Date: Mon Jun 1 18:44:15 UTC 2015 New revision: 388251 URL: https://svnweb.freebsd.org/changeset/ports/388251 Log: security/vuxml: add www/rubygem-rest-client vulnerabilities PR: 200504 Differential Revision: https://reviews.freebsd.org/D2699 Submitted by: Sevan Janiyan <venture37@geeklan.co.uk> Approved by: ports-secteam (delphij, eadler) Security: CVE-2015-1820 Security: CVE-2015-3448 Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: mmoll Date: Mon Jun 1 18:51:48 UTC 2015 New revision: 388252 URL: https://svnweb.freebsd.org/changeset/ports/388252 Log: www/rubygem-rest-client: import two security fixes This is a direct commit to branches/2015Q2, as rubygem-rest-client was already updated to 1.8.0 in head. PR: 200504 Differential Revision: https://reviews.freebsd.org/D2707 Approved by: ports-secteam (delphij) Security: CVE-2015-1820 Security: CVE-2015-3448 Changes: branches/2015Q2/www/rubygem-rest-client/Makefile branches/2015Q2/www/rubygem-rest-client/files/ branches/2015Q2/www/rubygem-rest-client/files/patch-lib_restclient_abstract__response.rb branches/2015Q2/www/rubygem-rest-client/files/patch-lib_restclient_raw__response.rb branches/2015Q2/www/rubygem-rest-client/files/patch-lib_restclient_request.rb branches/2015Q2/www/rubygem-rest-client/files/patch-lib_restclient_response.rb branches/2015Q2/www/rubygem-rest-client/files/patch-rest-client.gemspec
Should be all good now, finally. :) Thanks for reporting this!