Index: security/vuxml/vuln.xml =================================================================== --- security/vuxml/vuln.xml (revision 528918) +++ security/vuxml/vuln.xml (working copy) @@ -58,6 +58,46 @@ * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> + + rubygem-json -- Unsafe Objection Creation Vulnerability in JSON (Additional fix) + + + rubygem-json + 2.3.0 + + + + +

+
When parsing certain JSON documents, the json gem (including the + one bundled with Ruby) can be coerced into creating arbitrary objects + in the target system.
+
This is the same issue as CVE-2013-0269. The previous fix was incomplete, + which addressed JSON.parse(user_input), but didn’t address some other + styles of JSON parsing including JSON(user_input) and + JSON.parse(user_input, nil).
+
See CVE-2013-0269 in detail. Note that the issue was exploitable to + cause a Denial of Service by creating many garbage-uncollectable + Symbol objects, but this kind of attack is no longer valid because + Symbol objects are now garbage-collectable. However, creating arbitrary + bjects may cause severe security consequences depending upon the + application code.
+
Please update the json gem to version 2.3.0 or later. You can use + gem update json to update it. If you are using bundler, please add + gem "json", ">= 2.3.0" to your Gemfile.
+

+ + + + https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/ + CVE-2020-10663 + + + 2020-03-19 + 2020-03-24 + + + FreeBSD -- Kernel memory disclosure with nested jails