tag 689075 + pending thanks Hello Tyler,
Tyler Hicks escreveu: > Package: ruby1.9.1 > Version: 1.9.3.194-1 > Severity: grave > Tags: patch security > Justification: user security hole > User: ubuntu-de...@lists.ubuntu.com > Usertags: origin-ubuntu quantal ubuntu-patch > > Dear Maintainer, > > While running some regression tests I discovered that 1.9.3.194-1 is > vulnerable to CVE-2011-1005, despite the Ruby advisory stating > otherwise: > > http://www.ruby-lang.org/en/news/2011/02/18/exception-methods-can-bypass-safe/ > > You can use the reproducer in the advisory for verification. Just do a > 'puts $secret_path' rather than the 'open($secret_path)' block. > > In Ubuntu, the attached patch was applied to achieve the following: > > * SECURITY UPDATE: Safe level bypass > - debian/patches/20120927-cve_2011_1005.patch: Remove incorrect string > taint in exception handling methods. Based on upstream patch. > - CVE-2011-1005 Thanks for submitting this. Did you notify upstream of the fact that the 1.9 series is actually affected by this issue? -- Antonio Terceiro <terce...@debian.org>
signature.asc
Description: Digital signature
