From 21480756ee6d1de48f9c4470d119a32a9c619a5d Mon Sep 17 00:00:00 2001 From: Sunpoet Po-Chuan Hsieh Date: Wed, 23 Dec 2015 19:07:57 +0000 Subject: [PATCH] - Document Ruby vulnerability --- security/vuxml/vuln.xml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 4405e33d1d45..2620272832cf 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -58,6 +58,40 @@ Notes: --> + + Ruby -- unsafe tainted string vulnerability + + + ruby + 2.0.0.648,1 + 2.1.8,1 + 2.2.4,1 + + + + +

Ruby developer reports:

+
+

There is an unsafe tainted string vulnerability in Fiddle and DL. + This issue was originally reported and fixed with CVE-2009-5147 in + DL, but reappeared after DL was reimplemented using Fiddle and + libffi.

+

And, about DL, CVE-2009-5147 was fixed at Ruby 1.9.1, but not + fixed at other branches, then rubies which bundled DL except Ruby + 1.9.1 are still vulnerable.

+
+ +
+ + https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/ + CVE-2015-7551 + + + 2015-12-16 + 2015-12-23 + +
+ Bugzilla security issues