diff options
| author | Peter Korsgaard <peter@korsgaard.com> | 2017-09-07 11:17:55 +0200 |
|---|---|---|
| committer | Thomas Petazzoni <thomas.petazzoni@free-electrons.com> | 2017-09-09 22:44:00 +0200 |
| commit | 0e5448af5091ee208fdd38a4e221f444085dd0c8 (patch) | |
| tree | 26c8626a12effefb9a9efff90bdac20e3774e3f3 /package/python-cryptography/Config.in | |
| parent | a834b86ee0a9396ec2698aaf69547ff8db500b00 (diff) | |
| download | buildroot-0e5448af5091ee208fdd38a4e221f444085dd0c8.tar.gz buildroot-0e5448af5091ee208fdd38a4e221f444085dd0c8.zip | |
ruby: add upstream security patches bumping rubygems to 2.6.13
We unfortunately cannot use the upstream patches directly as they are not in
'patch -p1' format, so convert them and include instead.
Fixes:
CVE-2017-0899 - RubyGems version 2.6.12 and earlier is vulnerable to
maliciously crafted gem specifications that include terminal escape
characters. Printing the gem specification would execute terminal escape
sequences.
CVE-2017-0900 - RubyGems version 2.6.12 and earlier is vulnerable to
maliciously crafted gem specifications to cause a denial of service attack
against RubyGems clients who have issued a `query` command.
CVE-2017-0901 - RubyGems version 2.6.12 and earlier fails to validate
specification names, allowing a maliciously crafted gem to potentially
overwrite any file on the filesystem.
CVE-2017-0902 - RubyGems version 2.6.12 and earlier is vulnerable to a DNS
hijacking vulnerability that allows a MITM attacker to force the RubyGems
client to download and install gems from a server that the attacker
controls.
For more details, see
https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Diffstat (limited to 'package/python-cryptography/Config.in')
0 files changed, 0 insertions, 0 deletions
