Summary: | <dev-ruby/json-2.3.0: Unsafe Object Creation Vulnerability in JSON (CVE-2020-10663) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hans de Graaff <graaff> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | ajak, leio, ruby |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/ | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=713480 | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: |
dev-ruby/json-2.3.0
|
Runtime testing required: | --- |
Bug Depends on: | 713480 | ||
Bug Blocks: |
Description
Hans de Graaff
![]() ![]() The fixed version has been in the tree for some time and can be marked stable right away. That depends marker might keep arch teams away from actioning this one; I suggest to handle this differently until all arches are done here. hppa stable sparc stable arm64 stable ppc/ppc64 stable ia64 will pass. See https://archives.gentoo.org/gentoo-dev/message/edaadc85d7423810dd6ecfeda29cc85f (In reply to Mart Raudsepp from comment #2) > That depends marker might keep arch teams away from actioning this one; I > suggest to handle this differently until all arches are done here. I agree. To be clear, bug 713480 blocks cleanup, not stabilisation, so removing the blocker for now, so that tools pick it up, etc. I will add it back later. amd64 stable arm stable s390 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. Resetting sanity check; keywords are not fully specified and arches are not CC-ed. GLSA Vote: No @ruby, please clean when you can. Dep is fixed, anything else blocking cleanup? dev-ruby/json:0 is now masked for removal. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=37a7617bdc64e6e7f57180f9a6241d2f63115ca5 commit 37a7617bdc64e6e7f57180f9a6241d2f63115ca5 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-09-14 17:19:35 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-09-14 17:23:44 +0000 dev-ruby/json: Remove masked slot :0 Bug: https://bugs.gentoo.org/713478 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-ruby/json/Manifest | 1 - dev-ruby/json/files/json-1.8.6-heap-exposure.patch | 82 ---------------------- dev-ruby/json/json-1.8.6-r1.ebuild | 70 ------------------ profiles/package.mask | 5 -- 4 files changed, 158 deletions(-) Tree is clean. No GLSA. All done, thanks everyone. |