http://www.ruby-lang.org/en/news/2013/02/22/json-dos-cve-2013-0269/ http://www.ruby-lang.org/en/news/2013/02/22/rexml-dos-2013-02-22/
Now in the tree: =dev-lang/ruby-1.9.3_p392
(In reply to comment #1) > Now in the tree: > > =dev-lang/ruby-1.9.3_p392 Thanks, Hans. Arches, please test and mark stable. Target KEYWORDS: "alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd"
ppc stable
ppc64 stable
amd64 stable
x86 stable
ia64 stable
hppa stable
sparc stable
s390 stable
arm stable
alpha stable
sh stable
GLSA vote: yes.
CVE-2013-0269 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0269): The JSON gem 1.7.x before 1.7.7, 1.6.x before 1.6.8, and 1.5.x before 1.5.5 allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
CVE-2013-1821 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1821): lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion (XEE) attack.
GLSA Vote: Yes Added to an existing GLSA request.
This issue was resolved and addressed in GLSA 201412-27 at http://security.gentoo.org/glsa/glsa-201412-27.xml by GLSA coordinator Sean Amoss (ackle).