Date: Tue, 10 Oct 2017 11:17:19 +0000 (UTC) From: Sunpoet Po-Chuan Hsieh <sunpoet@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r451674 - head/security/vuxml Message-ID: <201710101117.v9ABHJol037690@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: sunpoet Date: Tue Oct 10 11:17:19 2017 New Revision: 451674 URL: https://svnweb.freebsd.org/changeset/ports/451674 Log: Document rubygems vulnerability Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Oct 10 11:17:13 2017 (r451673) +++ head/security/vuxml/vuln.xml Tue Oct 10 11:17:19 2017 (r451674) @@ -58,6 +58,38 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="2c8bd00d-ada2-11e7-82af-8dbff7d75206"> + <topic>rubygems -- deserialization vulnerability</topic> + <affects> + <package> + <name>ruby22-gems</name> + <name>ruby23-gems</name> + <name>ruby24-gems</name> + <range><lt>2.6.14</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>oss-security mailing list:</p> + <blockquote cite="http://www.openwall.com/lists/oss-security/2017/10/10/2"> + <p>There is a possible unsafe object desrialization vulnerability in + RubyGems. It is possible for YAML deserialization of gem specifications + to bypass class white lists. Specially crafted serialized objects can + possibly be used to escalate to remote code execution.</p> + </blockquote> + </body> + </description> + <references> + <url>http://www.openwall.com/lists/oss-security/2017/10/10/2</url> + <url>http://blog.rubygems.org/2017/10/09/2.6.14-released.html</url> + <cvename>CVE-2017-0903</cvename> + </references> + <dates> + <discovery>2017-10-09</discovery> + <entry>2017-10-10</entry> + </dates> + </vuln> + <vuln vid="4f8ffb9c-f388-4fbd-b90f-b3131559d888"> <topic>xorg-server -- multiple vulnabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201710101117.v9ABHJol037690>