From ${URL} : RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API request, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack." """ References: * https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/ * http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html * http://blog.rubygems.org/2015/06/08/2.4.8-released.html * http://blog.rubygems.org/2015/06/08/2.2.5-released.html * https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-007/?fid=6356 * https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478 @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Fixed rubygems versions are already in the tree and can be marked stable. =dev-ruby/rubygems-2.2.5
Stable for PPC64.
Arches, please test and mark stable: =dev-ruby/rubygems-2.2.5 Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" Thank you!
CVE-2015-3900 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3900): RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API request, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."
amd64 stable
x86 stable
arm stable
Stable for HPPA.
alpha stable
ppc stable
sparc stable
Version - 2.2.5-r1 already stabilized, which supersedes this. Security Please Vote. First GLSA Vote: No Maintainer(s), please drop the vulnerable version(s).
Vulnerable versions removed.
ia64 stable. Maintainer(s), please cleanup. Security, please vote.
Arches and Maintainer(s), Thank you for your work. GLSA Vote: No
(In reply to Yury German from comment #15) > Arches and Maintainer(s), Thank you for your work. > > GLSA Vote: No GLSA Vote: No