Summary: | <dev-ruby/rexml-3.2.4, <dev-lang/ruby-{2.5.9,2.6.7,2.7.3,3.0.1}: XML round-trip vulnerability (CVE-2021-28965) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hans de Graaff <graaff> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | ruby |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/ | ||
Whiteboard: | B4 [noglsa] | ||
Package list: |
dev-lang/ruby-2.6.7-r2
|
Runtime testing required: | --- |
Description
Hans de Graaff
2021-04-06 05:14:02 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb6c6805ad382db0062aa3b51dbba9992309d8b4 commit bb6c6805ad382db0062aa3b51dbba9992309d8b4 Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2021-04-06 06:14:46 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2021-04-06 06:14:53 +0000 dev-lang/ruby: add 2.5.7, 2.6.7, 2.7.3, 3.0.1 Bug: https://bugs.gentoo.org/780498 Package-Manager: Portage-3.0.17, Repoman-3.0.2 Signed-off-by: Hans de Graaff <graaff@gentoo.org> dev-lang/ruby/Manifest | 4 + dev-lang/ruby/ruby-2.5.9.ebuild | 246 +++++++++++++++++++++++++++++++++++++ dev-lang/ruby/ruby-2.6.7.ebuild | 259 +++++++++++++++++++++++++++++++++++++++ dev-lang/ruby/ruby-2.7.3.ebuild | 263 +++++++++++++++++++++++++++++++++++++++ dev-lang/ruby/ruby-3.0.1.ebuild | 264 ++++++++++++++++++++++++++++++++++++++++ 5 files changed, 1036 insertions(+) dev-ruby/rexml-3.2.5 has also been added. I'd like to wait a couple days before starting stabling the dev-lang/ruby versions since we introduced some other changes in the previous revisions that still need some investigation. (In reply to Hans de Graaff from comment #2) > dev-ruby/rexml-3.2.5 has also been added. > > I'd like to wait a couple days before starting stabling the dev-lang/ruby > versions since we introduced some other changes in the previous revisions > that still need some investigation. Thanks! Ping (In reply to Sam James from comment #4) > Ping ping Unable to check for sanity:
> no match for package: dev-lang/ruby-2.5.9
The fixed ruby versions contain unrelated changes that break json in various cases. That needs to be fixed first before we can stable these versions. (In reply to Hans de Graaff from comment #7) > The fixed ruby versions contain unrelated changes that break json in various > cases. That needs to be fixed first before we can stable these versions. Fixed versions are now in the tree. Let's give them a few days before stabling them. amd64 stable ppc stable sparc stable x86 stable hppa stable ppc64 stable arm64 done Unable to check for sanity:
> package masked: dev-lang/ruby-2.5.9-r1
All sanity-check issues have been resolved arm done all arches done Please cleanup, thanks! The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=915ad705bf194fb1a9ee62b699689fb83499a022 commit 915ad705bf194fb1a9ee62b699689fb83499a022 Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2021-07-18 08:46:26 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2021-07-18 08:46:26 +0000 dev-lang/ruby: cleanup vulnerable versions Bug: https://bugs.gentoo.org/780498 Package-Manager: Portage-3.0.20, Repoman-3.0.2 Signed-off-by: Hans de Graaff <graaff@gentoo.org> dev-lang/ruby/Manifest | 3 - dev-lang/ruby/ruby-2.6.6-r4.ebuild | 258 ------------------------------------ dev-lang/ruby/ruby-2.7.2-r2.ebuild | 261 ------------------------------------ dev-lang/ruby/ruby-2.7.2-r3.ebuild | 263 ------------------------------------ dev-lang/ruby/ruby-3.0.0-r3.ebuild | 262 ------------------------------------ dev-lang/ruby/ruby-3.0.0-r4.ebuild | 262 ------------------------------------ dev-lang/ruby/ruby-3.0.0-r5.ebuild | 264 ------------------------------------- 7 files changed, 1573 deletions(-) Missed 2.5.8? (In reply to John Helmert III from comment #21) > Missed 2.5.8? Ruby 2.5 is already masked for removal. Unable to check for sanity:
> no match for package: dev-lang/ruby-2.6.7-r2
|