From ${URL} : The parser_yyerror function in the UTF-8 parser in Ruby 2.4.1 allows attackers to cause a denial of service (invalid write or read) or possibly have unspecified other impact via a crafted Ruby script, related to the parser_tokadd_utf8 function in parse.y. NOTE: this might have security relevance as a bypass of a $SAFE protection mechanism. Upstream bug: https://bugs.ruby-lang.org/issues/13742 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Upstream intends to backport this to ruby 2.4, and we will use the backported patch.
Upstream says: "Note that this is not a vulnerability. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11465 is invalid."