Source: mruby Version: 1.4.0-1 Severity: grave Tags: patch security upstream Forwarded: https://github.com/mruby/mruby/issues/4001
Hi, The following vulnerability was published for mruby. CVE-2018-10199[0]: | In versions of mruby up to and including 1.4.0, a use-after-free | vulnerability exists in src/io.c::File#initilialize_copy(). An attacker | that can cause Ruby code to be run can possibly use this to execute | arbitrary code. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-10199 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10199 [1] https://github.com/mruby/mruby/issues/4001 [2] https://github.com/mruby/mruby/commit/b51b21fc63c9805862322551387d9036f2b63433 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
