Debian Bug report logs -
#842504
CVE-2016-7954: code execution via gem name collission in bundler
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#842504; Package bundler.
(Sat, 29 Oct 2016 19:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Sat, 29 Oct 2016 19:30:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: bundler
Version: 1.7.4-1
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for bundler.
CVE-2016-7954[0]:
code execution via gem name collission in bundler
Please correct me if I'm wrong. As far I understand, this issue cannot
be fixed within the 1.x series due to lockfile format. This bug is to
continue tracking the CVE in the Debian BTS.
We have marked the issue as no-dsa already for jessie.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-7954
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#842504; Package bundler.
(Thu, 31 Jan 2019 23:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Thu, 31 Jan 2019 23:18:03 GMT) (full text, mbox, link).
Message #10 received at 842504@bugs.debian.org (full text, mbox, reply):
On Sat, Oct 29, 2016 at 09:27:25PM +0200, Salvatore Bonaccorso wrote:
> Package: bundler
> Version: 1.7.4-1
> Severity: important
> Tags: security upstream
>
> Hi,
>
> the following vulnerability was published for bundler.
>
> CVE-2016-7954[0]:
> code execution via gem name collission in bundler
>
> Please correct me if I'm wrong. As far I understand, this issue cannot
> be fixed within the 1.x series due to lockfile format. This bug is to
> continue tracking the CVE in the Debian BTS.
JFTR; Bundler 2 was relased in early January.
Cheers,
Moritz
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:07:44 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon