Salvatore, * Salvatore Bonaccorso <car...@debian.org> [150627 13:57]: > Source: ruby2.1 > Version: 2.1.5-1 > Severity: important > Tags: security upstream patch fixed-upstream > > the following vulnerability was published for ruby2.1. > > CVE-2015-3900[0]: > | RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before > | 2.4.7 does not validate the hostname when fetching gems or making API > | request, which allows remote attackers to redirect requests to > | arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack > | attack."
Thank you for bringing this to our attention. I suspect upstream will upgrade to 2.2.5 (on the ruby 2.1 branch) in the next few days, and then I'd like to import that, if nobody objects. Best, -- ,''`. Christian Hofstaedtler <z...@debian.org> : :' : Debian Developer `. `' 7D1A CFFA D9E0 806C 9C4C D392 5C13 D6DB 9305 2E03 `-
pgphuy6nw0CY5.pgp
Description: PGP signature
