[Moritz Mühlenhoff]
> Does that also include the regression fix from CVE-2015-7551?
No, it did not. I had a look and pulled
https://github.com/ruby/ruby/commit/339e11a7f178312d937b7c95dd3115ce7236597a
to fix this one. I will include it too in the upload, just need to
check with the release manag
* Petter Reinholdtsen [160606 15:27]:
> Thank you very much!. But the second fail with ruby2.1 today:
> cve-2009-5147-fiddle-02.rb:18:in `call': tainted parameter not allowed
> (SecurityError)
[..]
> How come?
Ah. Maybe that was my demonstration program of what should have
happened. Unfortun
[Christian Hofstaedtler]
> I'm attaching two test programs that both raise a SecurityError on
> ruby2.2 in sid, but run through on ruby2.1 in jessie. They only
> cover two Fiddle cases, and no DL cases, though.
Thank you very much!. But the second fail with ruby2.1 today:
% for f in *; do echo
Control: unarchive -1
[Christian Hofstaedtler 2016-01-03]
>> According to https://security-tracker.debian.org/tracker/CVE-2009-5147
>> >,
>> this issue is fixed in squeeze but not wheezy and jessie. Are anyone working
>> on a update to stable?
>
> Sorry, even tough this should be easy to do, so
* Petter Reinholdtsen [160606 14:01]:
> But I would love to figure out a way to verify that the fix really is working
> before I upload. Anyone got a clue to spare there?
I'm attaching two test programs that both raise a SecurityError on
ruby2.2 in sid, but run through on ruby2.1 in jessie. They
* Petter Reinholdtsen [160102 10:30]:
> [Christian Hofstaedtler]
> > In 2.1 branch, the fix is in this commit:
> >
> > https://github.com/ruby/ruby/commit/339e11a7f178312d937b7c95dd3115ce7236597a
>
> According to https://security-tracker.debian.org/tracker/CVE-2009-5147
> >,
> this issue is fix
[Christian Hofstaedtler]
> In 2.1 branch, the fix is in this commit:
>
> https://github.com/ruby/ruby/commit/339e11a7f178312d937b7c95dd3115ce7236597a
According to https://security-tracker.debian.org/tracker/CVE-2009-5147 >,
this issue is fixed in squeeze but not wheezy and jessie. Are anyone wor
In 2.1 branch, the fix is in this commit:
https://github.com/ruby/ruby/commit/339e11a7f178312d937b7c95dd3115ce7236597a
Control: retitle -1 CVE-2015-7551
Control: found -1 2.1.5-2+deb8u2
https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/
Package: ruby2.1
Version: 2.1.5-4
Severity: important
Tags: security
This has been assigned CVE-2009-5147:
http://seclists.org/oss-sec/2015/q3/222
Cheers,
Moritz
10 matches
Mail list logo
