Summary: | [PATCH] devel/ruby-gems: update to 2.4.7 | ||||||
---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | Santiago Pastorino <spastorino> | ||||
Component: | Individual Port(s) | Assignee: | Michael Moll <mmoll> | ||||
Status: | Closed FIXED | ||||||
Severity: | Affects Many People | CC: | junovitch, mmoll, tom | ||||
Priority: | --- | Keywords: | patch | ||||
Version: | Latest | Flags: | bugzilla:
maintainer-feedback?
(ruby) |
||||
Hardware: | Any | ||||||
OS: | Any | ||||||
Attachments: |
|
Description
Santiago Pastorino
2015-05-17 11:36:20 UTC
take A commit references this bug: Author: mmoll Date: Sun May 17 15:48:14 UTC 2015 New revision: 386625 URL: https://svnweb.freebsd.org/changeset/ports/386625 Log: security/vuxml: Add CVE-2015-3900 entry for devel/ruby-gems PR: 200264 Differential Revision: https://reviews.freebsd.org/D2572 Approved by: mat (mentor) Security: CVE-2015-3900 Changes: head/security/vuxml/vuln.xml A commit references this bug: Author: mmoll Date: Sun May 17 15:49:16 UTC 2015 New revision: 386626 URL: https://svnweb.freebsd.org/changeset/ports/386626 Log: devel/ruby-gems: update to 2.4.7 PR: 200264 Differential Revision: https://reviews.freebsd.org/D2572 Submitted by: Santiago Pastorino <spastorino@gmail.com> Approved by: mat (mentor) Security: CVE-2015-3900 Changes: head/devel/ruby-gems/Makefile head/devel/ruby-gems/distinfo committed, thanks! A commit references this bug: Author: mmoll Date: Mon May 18 18:44:29 UTC 2015 New revision: 386699 URL: https://svnweb.freebsd.org/changeset/ports/386699 Log: MFH: r386626 devel/ruby-gems: update to 2.4.7 PR: 200264 Differential Revision: https://reviews.freebsd.org/D2572 Submitted by: Santiago Pastorino <spastorino@gmail.com> Approved by: mat (mentor) Security: CVE-2015-3900 Approved by: ports-secteam (delphij) Changes: _U branches/2015Q2/ branches/2015Q2/devel/ruby-gems/Makefile branches/2015Q2/devel/ruby-gems/distinfo Fix for this is incomplete: https://github.com/rubygems/rubygems/commit/5c7bfb5c05202b4db971dd672d88a42298a0d84e (In reply to Thomas Hurst from comment #6) I opened https://github.com/rubygems/rubygems/issues/1325 upstream since their Github still reflects 2.4.7 as fixing CVE-2015-3900. Based on http://blog.rubygems.org/2015/06/08/2.4.8-released.html they mention "Tightened API endpoint checks for CVE-2015-3900" but I'm trying to understand the logic behind why they didn't update their advisory before I try to change it. |