CVE-2017-17042 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17042): lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not block relative paths with an initial ../ sequence, which allows attackers to conduct directory traversal attacks and read arbitrary files.
@Maintainers please call for stabilization when ready. Thank you
amd64 stable
sparc stable (thanks to Rolf Eike Beer)
ppc/ppc64 stable
ia64 stable
arm stable
Stable on alpha.
x86 stable
@ Maintainer(s): Please cleanup and drop <dev-ruby/yard-0.9.11!
Cleanup done.
(In reply to Hans de Graaff from comment #10) > Cleanup done. Thanks, Hans! GLSA Vote: No
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=00f500d2a19a0968de9dd0264fa7094aa99fa4ef commit 00f500d2a19a0968de9dd0264fa7094aa99fa4ef Author: Rolf Eike Beer <eike@sf-mail.de> AuthorDate: 2018-07-16 06:28:10 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-07-16 06:54:06 +0000 dev-ruby/yard: stable 0.9.11 for hppa Bug: https://bugs.gentoo.org/639708 Package-Manager: Portage-2.3.40, Repoman-2.3.9 RepoMan-Options: --include-arches="hppa" dev-ruby/yard/yard-0.9.11.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)