From ${URL} : Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring. Upstream patch: https://github.com/ruby/ruby/commit/0827a7e52ba3d957a634b063bf5a391239b9ffee @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
We can't mark new slots of ruby stable without a lenghty process, so marking ruby:2.4 stable is not a short-term solution. We may consider backporting this to ruby:2.2 and ruby:2.3.
Fixed in: dev-lang/ruby-2.2.7-r3 dev-lang/ruby-2.3.4-r3
@Ruby, ready to stabilize?
An automated check of this bug failed - repoman reported dependency errors (12 lines truncated): > dependency.bad dev-lang/ruby/ruby-2.2.7-r3.ebuild: DEPEND: sparc(default/linux/sparc/13.0) ['>=app-eselect/eselect-ruby-20141227'] > dependency.bad dev-lang/ruby/ruby-2.2.7-r3.ebuild: PDEPEND: sparc(default/linux/sparc/13.0) ['>=dev-ruby/minitest-5.4.3[ruby_targets_ruby22]', '>=dev-ruby/power_assert-0.2.2[ruby_targets_ruby22]', '>=dev-ruby/test-unit-3.0.8[ruby_targets_ruby22]', 'virtual/rubygems[ruby_targets_ruby22]', '>=dev-ruby/json-1.8.1[ruby_targets_ruby22]', '>=dev-ruby/rake-0.9.6[ruby_targets_ruby22]', '>=dev-ruby/rdoc-4.0.1[ruby_targets_ruby22]'] > dependency.bad dev-lang/ruby/ruby-2.2.7-r3.ebuild: RDEPEND: sparc(default/linux/sparc/13.0) ['>=app-eselect/eselect-ruby-20141227']
ia64 stable
arm stable
An automated check of this bug failed - repoman reported dependency errors (151 lines truncated): > dependency.bad dev-lang/ruby/ruby-2.2.7-r3.ebuild: DEPEND: sparc(default/linux/sparc/13.0) ['>=app-eselect/eselect-ruby-20141227'] > dependency.bad dev-lang/ruby/ruby-2.2.7-r3.ebuild: PDEPEND: sparc(default/linux/sparc/13.0) ['>=dev-ruby/minitest-5.4.3[ruby_targets_ruby22]', '>=dev-ruby/power_assert-0.2.2[ruby_targets_ruby22]', '>=dev-ruby/test-unit-3.0.8[ruby_targets_ruby22]', 'virtual/rubygems[ruby_targets_ruby22]', '>=dev-ruby/json-1.8.1[ruby_targets_ruby22]', '>=dev-ruby/rake-0.9.6[ruby_targets_ruby22]', '>=dev-ruby/rdoc-4.0.1[ruby_targets_ruby22]'] > dependency.bad dev-lang/ruby/ruby-2.2.7-r3.ebuild: RDEPEND: sparc(default/linux/sparc/13.0) ['>=app-eselect/eselect-ruby-20141227']
An automated check of this bug succeeded - the previous repoman errors are now resolved.
ppc/ppc64 stable
Stable on alpha.
commit 8993ae97bf0482fbaffed77b1f8b9fc6ba1e954d Author: Sergei Trofimovich <slyfox@gentoo.org> Date: Sat Sep 16 20:13:12 2017 +0100 dev-lang/ruby: stable 2.2.8 for hppa, bug #631034
Vulnerable versions have been removed.
GLSA Vote: No