Bug 200504 - www/rubygem-rest-client: Multiple security vulnerabilities (CVE-2015-1820, CVE-2015-3448)
Summary: www/rubygem-rest-client: Multiple security vulnerabilities (CVE-2015-1820, CV...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Michael Moll
URL:
Keywords: needs-patch, security
Depends on:
Blocks:
 
Reported: 2015-05-28 23:36 UTC by Sevan Janiyan
Modified: 2015-06-01 18:53 UTC (History)
7 users (show)

See Also:
bugzilla: maintainer-feedback? (renchap)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Michael Moll freebsd_committer 2015-05-31 17:19:35 UTC
take.
Comment 2 commit-hook freebsd_committer 2015-05-31 20:58:27 UTC
A commit references this bug:

Author: mmoll
Date: Sun May 31 20:58:17 UTC 2015
New revision: 388165
URL: https://svnweb.freebsd.org/changeset/ports/388165

Log:
  www/rubygem-rest-client: update to 1.8.0

  PR:		200504
  Differential Revision:	https://reviews.freebsd.org/D2696
  Submitted by:	Sevan Janiyan <venture37@geeklan.co.uk>
  Approved by:	swills (mentor)
  Security:	CVE-2015-1820
  Security:	CVE-2015-3448

Changes:
  head/databases/rubygem-couchrest/Makefile
  head/databases/rubygem-couchrest/files/
  head/databases/rubygem-couchrest/files/patch-couchrest.gemspec
  head/devel/rubygem-apipie-bindings/Makefile
  head/devel/rubygem-apipie-bindings/files/
  head/devel/rubygem-apipie-bindings/files/patch-apipie-bindings.gemspec
  head/sysutils/rubygem-chef/Makefile
  head/sysutils/rubygem-chef/files/patch-chef.gemspec
  head/sysutils/rubygem-chef/files/patch-gemspec
  head/sysutils/rubygem-hammer_cli/Makefile
  head/sysutils/rubygem-hammer_cli/files/patch-gemspec
  head/sysutils/rubygem-hammer_cli/files/patch-hammer__cli.gemspec
  head/sysutils/rubygem-hammer_cli_foreman/Makefile
  head/sysutils/rubygem-hammer_cli_foreman/files/
  head/sysutils/rubygem-hammer_cli_foreman/files/patch-hammer__cli__foreman.gemspec
  head/www/rubygem-heroku/Makefile
  head/www/rubygem-heroku/files/
  head/www/rubygem-heroku/files/patch-heroku.gemspec
  head/www/rubygem-kensa/Makefile
  head/www/rubygem-kensa/files/
  head/www/rubygem-kensa/files/patch-kensa.gemspec
  head/www/rubygem-rest-client/Makefile
  head/www/rubygem-rest-client/distinfo
Comment 3 Xin LI freebsd_committer 2015-06-01 06:24:27 UTC
(In reply to commit-hook from comment #2)
Thanks!

Could you please also document the issue in vuxml (feel ask ports-secteam@ if help is needed or you want us to do it for you)?

Also, how big will the change be?  Can it be backported to the branch (it seems like many Ruby applications does not like big version jumps)?
Comment 4 Michael Moll freebsd_committer 2015-06-01 11:26:44 UTC
I have a review open for that: https://reviews.freebsd.org/D2699 - I guess it's OK for me to commit if some security person is ACKing this.

Regarding to MFHing, I was somehow thinking it's already end of June and the new quarterly branch is just about due, but yeah, this needs some backporting, will cook something up.
Comment 5 Xin LI freebsd_committer 2015-06-01 18:19:34 UTC
(In reply to Michael Moll from comment #4)
Yes, please go a head and commit the change with a PORTREVISION bump.  Thanks a lot for working on this!
Comment 6 commit-hook freebsd_committer 2015-06-01 18:44:32 UTC
A commit references this bug:

Author: mmoll
Date: Mon Jun  1 18:44:15 UTC 2015
New revision: 388251
URL: https://svnweb.freebsd.org/changeset/ports/388251

Log:
  security/vuxml: add www/rubygem-rest-client vulnerabilities

  PR:		200504
  Differential Revision:	https://reviews.freebsd.org/D2699
  Submitted by:	Sevan Janiyan <venture37@geeklan.co.uk>
  Approved by:	ports-secteam (delphij, eadler)
  Security:	CVE-2015-1820
  Security:	CVE-2015-3448

Changes:
  head/security/vuxml/vuln.xml
Comment 7 commit-hook freebsd_committer 2015-06-01 18:52:35 UTC
A commit references this bug:

Author: mmoll
Date: Mon Jun  1 18:51:48 UTC 2015
New revision: 388252
URL: https://svnweb.freebsd.org/changeset/ports/388252

Log:
  www/rubygem-rest-client: import two security fixes

  This is a direct commit to branches/2015Q2, as rubygem-rest-client was
  already updated to 1.8.0 in head.

  PR:		200504
  Differential Revision:	https://reviews.freebsd.org/D2707
  Approved by:	ports-secteam (delphij)
  Security:	CVE-2015-1820
  Security:	CVE-2015-3448

Changes:
  branches/2015Q2/www/rubygem-rest-client/Makefile
  branches/2015Q2/www/rubygem-rest-client/files/
  branches/2015Q2/www/rubygem-rest-client/files/patch-lib_restclient_abstract__response.rb
  branches/2015Q2/www/rubygem-rest-client/files/patch-lib_restclient_raw__response.rb
  branches/2015Q2/www/rubygem-rest-client/files/patch-lib_restclient_request.rb
  branches/2015Q2/www/rubygem-rest-client/files/patch-lib_restclient_response.rb
  branches/2015Q2/www/rubygem-rest-client/files/patch-rest-client.gemspec
Comment 8 Michael Moll freebsd_committer 2015-06-01 18:53:59 UTC
Should be all good now, finally. :)
Thanks for reporting this!