Created attachment 212665 [details] patch See also: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/ Not tested ports depends on rubygem-json works properly after update.
I'll try to test it later but any helps appreciated. Also I think vuxml needs to be updated but I've never done that before.
(In reply to Koichiro Iwao from comment #1) Steps to create vuxml entry: 1) cd to security/vuxml in ports development tree 2) make install clean (installs vuxml validation tools) 3) make newentry 4) edit new entry that was created in vuxml.xml by (3) 5) Run `make validate` to validate the entry 6) svn diff in security/vuxml to create patch
Created attachment 212683 [details] vuxml-patch
With quick lookup, following ports are effected. Performing build tests on this. % pkg rquery %ro rubygem-json security/metasploit net/foreman-proxy www/rubygem-tumblr_client net/rubygem-twitter4r security/rubygem-twitter_oauth graphics/rubygem-emoji devel/rubygem-fog net/rubygem-fog-gridscale devel/rubygem-gem-compare graphics/rubygem-gemojione graphics/rubygem-gemojione32 devel/rubygem-gems devel/rubygem-jenkins_api_client devel/rubygem-kafo_parsers www/rubygem-nicovideo devel/rubygem-oci net/rubygem-opennebula net/rubygem-ovirt-engine-sdk net-mgmt/rubygem-oxidized-web www/rubygem-pagerduty converters/rubygem-po_to_json www/rubygem-pusher-client devel/rubygem-apipie-bindings net/rubygem-rbvmomi devel/rubygem-recaptcha net-mgmt/rubygem-riemann-tools sysutils/rubygem-backup devel/rubygem-rubytree net/rubygem-rubytter comms/rubygem-callsign devel/rubygem-cloudfiles irc/rubygem-cogbot devel/rubygem-simplecov net/rubygem-dropbox-sdk
Except for irc/rubygem-cogbot, it looks fine. Regarding that port, I submitted patch at bug 245044. ====> Compressing man pages (compress-man) =========================================================================== ====> Running Q/A tests (stage-qa) Error: RubyGem dependency json ~> 2.1.0 is not satisfied. *** Error code 1 Stop. make: stopped in /usr/ports/irc/rubygem-cogbot =>> Error: stage-qa failures detected build of irc/rubygem-cogbot | rubygem-cogbot-0.1.13_5 ended at Wed Mar 25 11:25:31 JST 2020 build time: 00:00:33 !!! build failure encountered !!! [00:01:40] Error: Build failed in phase: stage-qa [00:01:40] Cleaning up [00:01:40] Unmounting file systems
A commit references this bug: Author: meta Date: Thu Mar 26 04:40:23 UTC 2020 New revision: 529161 URL: https://svnweb.freebsd.org/changeset/ports/529161 Log: security/vuxml: Document CVE-2020-10663 (devel/rubygem-json) PR: 245023 Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: meta Date: Thu Mar 26 04:58:13 UTC 2020 New revision: 529164 URL: https://svnweb.freebsd.org/changeset/ports/529164 Log: devel/rubygem-json: Update to 2.3.0 This update includes fixes for CVE-2020-10663 [1]. [1] https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/ PR: 245023 MFH: 2020Q1 Security: 40194e1c-6d89-11ea-8082-80ee73419af3 Changes: head/devel/rubygem-json/Makefile head/devel/rubygem-json/distinfo
New quarterly branch has been branched so the fix is applied to quarterly.