FreeBSD Bugzilla – Attachment 198343 Details for
Bug 232427
security/vuxml: Document multiple vulnerabilities in Ruby
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
patch file
security_vuxml.patch (text/plain), 1.94 KB, created by
Yasuhiro Kimura
on 2018-10-19 00:56:44 UTC
(
hide
)
Description:
patch file
Filename:
MIME Type:
Creator:
Yasuhiro Kimura
Created:
2018-10-19 00:56:44 UTC
Size:
1.94 KB
patch
obsolete
>Index: vuln.xml >=================================================================== >--- vuln.xml (revision 482327) >+++ vuln.xml (working copy) >@@ -58,6 +58,39 @@ > * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) > --> > <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> >+ <vuln vid="f249857a-d334-11e8-ab5b-9c5c8e75236a"> >+ <topic>ruby -- multiple vulnerabilities</topic> >+ <affects> >+ <package> >+ <name>ruby</name> >+ <range><ge>2.3.0,1</ge><lt>2.3.8,1</lt></range> >+ <range><ge>2.4.0,1</ge><lt>2.4.5,1</lt></range> >+ <range><ge>2.5.0,1</ge><lt>2.5.2,1</lt></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <p>Chris Seaton and Tyler Eckstein reports:</p> >+ <blockquote cite="https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-5-2-released/"> >+ <p>CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly</p> >+ <p>The equality check of OpenSSL::X509::Name is not correctly in openssl extension library bundled with Ruby.</p> >+ <p>CVE-2018-16396: Tainted flags are not propagated in Array#pack and String#unpack with some directives</p> >+ <p>In Array#pack and String#unpack with some formats, the tainted flags of the original data are not propagated to the returned string/array.</p> >+ </blockquote> >+ </body> >+ </description> >+ <references> >+ <url>https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/</url> >+ <url>https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/</url> >+ <cvename>CVE-2018-16395</cvename> >+ <cvename>CVE-2018-16396</cvename> >+ </references> >+ <dates> >+ <discovery>2018-10-17</discovery> >+ <entry>2018-10-19</entry> >+ </dates> >+ </vuln> >+ > <vuln vid="2383767c-d224-11e8-9623-a4badb2f4699"> > <topic>libssh -- authentication bypass vulnerability</topic> > <affects>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=198343">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 232427
: 198343
Working