FreeBSD Bugzilla – Attachment 212683 Details for
Bug 245023
devel/rubygem-json: Update to 2.3.0 (CVE-2020-10663)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
vuxml-patch
vuxml.patch (text/plain), 2.23 KB, created by
Koichiro Iwao
on 2020-03-25 00:29:00 UTC
(
hide
)
Description:
vuxml-patch
Filename:
MIME Type:
Creator:
Koichiro Iwao
Created:
2020-03-25 00:29:00 UTC
Size:
2.23 KB
patch
obsolete
>Index: security/vuxml/vuln.xml >=================================================================== >--- security/vuxml/vuln.xml (revision 528918) >+++ security/vuxml/vuln.xml (working copy) >@@ -58,6 +58,46 @@ > * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) > --> > <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> >+ <vuln vid="40194e1c-6d89-11ea-8082-80ee73419af3"> >+ <topic>rubygem-json -- Unsafe Objection Creation Vulnerability in JSON (Additional fix)</topic> >+ <affects> >+ <package> >+ <name>rubygem-json</name> >+ <range><le>2.3.0</le></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <blockquote cite="https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/"> >+ <p>When parsing certain JSON documents, the json gem (including the >+ one bundled with Ruby) can be coerced into creating arbitrary objects >+ in the target system.</p> >+ <p>This is the same issue as CVE-2013-0269. The previous fix was incomplete, >+ which addressed JSON.parse(user_input), but didnât address some other >+ styles of JSON parsing including JSON(user_input) and >+ JSON.parse(user_input, nil).</p> >+ <p>See CVE-2013-0269 in detail. Note that the issue was exploitable to >+ cause a Denial of Service by creating many garbage-uncollectable >+ Symbol objects, but this kind of attack is no longer valid because >+ Symbol objects are now garbage-collectable. However, creating arbitrary >+ bjects may cause severe security consequences depending upon the >+ application code.</p> >+ <p>Please update the json gem to version 2.3.0 or later. You can use >+ gem update json to update it. If you are using bundler, please add >+ gem "json", ">= 2.3.0" to your Gemfile.</p> >+ </blockquote> >+ </body> >+ </description> >+ <references> >+ <url>https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/</url> >+ <cvename>CVE-2020-10663</cvename> >+ </references> >+ <dates> >+ <discovery>2020-03-19</discovery> >+ <entry>2020-03-24</entry> >+ </dates> >+ </vuln> >+ > <vuln vid="6b90acba-6a0a-11ea-92ab-00163e433440"> > <topic>FreeBSD -- Kernel memory disclosure with nested jails</topic> > <affects>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=212683">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 245023
:
212665
| 212683