Now in the tree:
(In reply to comment #1)
> Now in the tree:
Arches, please test and mark stable.
Target KEYWORDS: "alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd"
GLSA vote: yes.
The JSON gem 1.7.x before 1.7.7, 1.6.x before 1.6.8, and 1.5.x before 1.5.5
allows remote attackers to cause a denial of service (resource consumption)
or bypass the mass assignment protection mechanism via a crafted JSON
document that triggers the creation of arbitrary Ruby symbols or certain
internal objects, as demonstrated by conducting a SQL injection attack
against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows
remote attackers to cause a denial of service (memory consumption and crash)
via crafted text nodes in an XML document, aka an XML Entity Expansion (XEE)
GLSA Vote: Yes
Added to an existing GLSA request.
This issue was resolved and addressed in
GLSA 201412-27 at http://security.gentoo.org/glsa/glsa-201412-27.xml
by GLSA coordinator Sean Amoss (ackle).