Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 651884 (CVE-2017-17742, CVE-2018-6914, CVE-2018-8777, CVE-2018-8778, CVE-2018-8779, CVE-2018-8780) - <dev-lang/ruby-{2.2.10,2.3.7}: Multiple vulnerabilities
Summary: <dev-lang/ruby-{2.2.10,2.3.7}: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-17742, CVE-2018-6914, CVE-2018-8777, CVE-2018-8778, CVE-2018-8779, CVE-2018-8780
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.ruby-lang.org/en/news/201...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: ruby23-stable
Blocks:
  Show dependency tree
 
Reported: 2018-03-29 06:23 UTC by Hans de Graaff
Modified: 2018-06-24 04:22 UTC (History)
1 user (show)

See Also:
Package list:
dev-lang/ruby-2.2.10 dev-lang/ruby-2.3.7
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev 2018-03-29 06:23:59 UTC
CVE-2017-17742: HTTP response splitting in WEBrick
CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir
CVE-2018-8777: DoS by large request in WEBrick
CVE-2018-8778: Buffer under-read in String#unpack
CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket
CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir

Affected versions:

<dev-lang/ruby-2.2.10
<dev-lang/ruby-2.3.5
<dev-lang/ruby-2.4.4
<dev-lang/ruby-2.5.1
Comment 1 Hans de Graaff gentoo-dev 2018-03-29 06:43:53 UTC
Fixed versions are now available.
Comment 2 Hans de Graaff gentoo-dev 2018-04-02 06:10:12 UTC
Please test and mark stable.
Comment 3 Stabilization helper bot gentoo-dev 2018-04-02 07:01:53 UTC
An automated check of this bug failed - repoman reported dependency errors (4 lines truncated): 

> dependency.bad dev-lang/ruby/ruby-2.3.7.ebuild: PDEPEND: alpha(default/linux/alpha/13.0) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]']
> dependency.bad dev-lang/ruby/ruby-2.3.7.ebuild: PDEPEND: alpha(default/linux/alpha/13.0/desktop) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]']
> dependency.bad dev-lang/ruby/ruby-2.3.7.ebuild: PDEPEND: alpha(default/linux/alpha/13.0/desktop/gnome) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]']
> dependency.bad dev-lang/ruby/ruby-2.3.7.ebuild: PDEPEND: alpha(default/linux/alpha/13.0) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]']
> dependency.bad dev-lang/ruby/ruby-2.3.7.ebuild: PDEPEND: alpha(default/linux/alpha/13.0/desktop) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]']
> dependency.bad dev-lang/ruby/ruby-2.3.7.ebuild: PDEPEND: alpha(default/linux/alpha/13.0/desktop/gnome) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]']
Comment 4 Larry the Git Cow gentoo-dev 2018-04-03 21:07:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=66f2619ef760bdb938c109f07de6fbe009e75b7d

commit 66f2619ef760bdb938c109f07de6fbe009e75b7d
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-04-03 20:24:51 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-04-03 21:07:21 +0000

    dev-lang/ruby: stable 2.3.7 for sparc
    
    Bug: https://bugs.gentoo.org/651884
    Package-Manager: Portage-2.3.24, Repoman-2.3.6
    RepoMan-Options: --include-arches="sparc"

 dev-lang/ruby/ruby-2.3.7.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=370e4e1b0707bfaeb281245890620afcb516b19e

commit 370e4e1b0707bfaeb281245890620afcb516b19e
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-04-03 20:23:18 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-04-03 21:07:21 +0000

    dev-lang/ruby: stable 2.2.10 for sparc
    
    Bug: https://bugs.gentoo.org/651884
    Package-Manager: Portage-2.3.24, Repoman-2.3.6
    RepoMan-Options: --include-arches="sparc"

 dev-lang/ruby/ruby-2.2.10.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)}
Comment 5 Thomas Deutschmann gentoo-dev Security 2018-04-05 13:43:34 UTC
x86 stable
Comment 6 Stabilization helper bot gentoo-dev 2018-04-05 14:02:25 UTC
An automated check of this bug failed - repoman reported dependency errors (4 lines truncated): 

> dependency.bad dev-lang/ruby/ruby-2.3.7.ebuild: PDEPEND: alpha(default/linux/alpha/13.0) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]']
> dependency.bad dev-lang/ruby/ruby-2.3.7.ebuild: PDEPEND: alpha(default/linux/alpha/13.0/desktop) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]']
> dependency.bad dev-lang/ruby/ruby-2.3.7.ebuild: PDEPEND: alpha(default/linux/alpha/13.0/desktop/gnome) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]']
> dependency.bad dev-lang/ruby/ruby-2.3.7.ebuild: PDEPEND: alpha(default/linux/alpha/13.0) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]']
> dependency.bad dev-lang/ruby/ruby-2.3.7.ebuild: PDEPEND: alpha(default/linux/alpha/13.0/desktop) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]']
> dependency.bad dev-lang/ruby/ruby-2.3.7.ebuild: PDEPEND: alpha(default/linux/alpha/13.0/desktop/gnome) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]']
Comment 7 Hans de Graaff gentoo-dev 2018-04-05 16:57:42 UTC
amd64 stable
Comment 8 Stabilization helper bot gentoo-dev 2018-04-05 17:02:07 UTC
An automated check of this bug failed - repoman reported dependency errors (4 lines truncated): 

> dependency.bad dev-lang/ruby/ruby-2.3.7.ebuild: PDEPEND: alpha(default/linux/alpha/13.0) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]']
> dependency.bad dev-lang/ruby/ruby-2.3.7.ebuild: PDEPEND: alpha(default/linux/alpha/13.0/desktop) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]']
> dependency.bad dev-lang/ruby/ruby-2.3.7.ebuild: PDEPEND: alpha(default/linux/alpha/13.0/desktop/gnome) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]']
> dependency.bad dev-lang/ruby/ruby-2.3.7.ebuild: PDEPEND: alpha(default/linux/alpha/13.0) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]']
> dependency.bad dev-lang/ruby/ruby-2.3.7.ebuild: PDEPEND: alpha(default/linux/alpha/13.0/desktop) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]']
> dependency.bad dev-lang/ruby/ruby-2.3.7.ebuild: PDEPEND: alpha(default/linux/alpha/13.0/desktop/gnome) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]']
Comment 9 Sergei Trofimovich gentoo-dev 2018-04-06 19:48:16 UTC
ia64 stable
Comment 10 Stabilization helper bot gentoo-dev 2018-04-06 20:01:41 UTC
An automated check of this bug failed - repoman reported dependency errors (4 lines truncated): 

> dependency.bad dev-lang/ruby/ruby-2.3.7.ebuild: PDEPEND: alpha(default/linux/alpha/13.0) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]']
> dependency.bad dev-lang/ruby/ruby-2.3.7.ebuild: PDEPEND: alpha(default/linux/alpha/13.0/desktop) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]']
> dependency.bad dev-lang/ruby/ruby-2.3.7.ebuild: PDEPEND: alpha(default/linux/alpha/13.0/desktop/gnome) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]']
> dependency.bad dev-lang/ruby/ruby-2.3.7.ebuild: PDEPEND: alpha(default/linux/alpha/13.0) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]']
> dependency.bad dev-lang/ruby/ruby-2.3.7.ebuild: PDEPEND: alpha(default/linux/alpha/13.0/desktop) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]']
> dependency.bad dev-lang/ruby/ruby-2.3.7.ebuild: PDEPEND: alpha(default/linux/alpha/13.0/desktop/gnome) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]']
Comment 11 Stabilization helper bot gentoo-dev 2018-04-08 21:01:19 UTC
An automated check of this bug failed - repoman reported dependency errors (14 lines truncated): 

> dependency.bad dev-lang/ruby/ruby-2.3.6.ebuild: PDEPEND: alpha(default/linux/alpha/13.0) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]']
> dependency.bad dev-lang/ruby/ruby-2.3.6.ebuild: PDEPEND: alpha(default/linux/alpha/13.0/desktop) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]']
> dependency.bad dev-lang/ruby/ruby-2.3.6.ebuild: PDEPEND: alpha(default/linux/alpha/13.0/desktop/gnome) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]']
> dependency.bad dev-lang/ruby/ruby-2.3.6.ebuild: PDEPEND: alpha(default/linux/alpha/13.0) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]']
> dependency.bad dev-lang/ruby/ruby-2.3.6.ebuild: PDEPEND: alpha(default/linux/alpha/13.0/desktop) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]']
> dependency.bad dev-lang/ruby/ruby-2.3.6.ebuild: PDEPEND: alpha(default/linux/alpha/13.0/desktop/gnome) ['>=dev-ruby/did_you_mean-1.0.0:1[ruby_targets_ruby23]', '>=dev-ruby/minitest-5.8.3[ruby_targets_ruby23]', '>=dev-ruby/net-telnet-0.1.1[ruby_targets_ruby23]', '>=dev-ruby/power_assert-0.2.6[ruby_targets_ruby23]', '>=dev-ruby/rake-10.4.2[ruby_targets_ruby23]', '>=dev-ruby/test-unit-3.1.5[ruby_targets_ruby23]', 'virtual/rubygems[ruby_targets_ruby23]', '>=dev-ruby/json-1.8.3[ruby_targets_ruby23]', '>=dev-ruby/rdoc-4.2.1[ruby_targets_ruby23]']
Comment 12 Matt Turner gentoo-dev 2018-04-08 22:12:50 UTC
alpha stable
Comment 13 Stabilization helper bot gentoo-dev 2018-04-08 23:03:29 UTC
An automated check of this bug succeeded - the previous repoman errors are now resolved.
Comment 14 Markus Meier gentoo-dev 2018-04-14 11:39:03 UTC
arm stable
Comment 15 Larry the Git Cow gentoo-dev 2018-04-20 21:27:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=29a804f86af7076d99446b99184a780d33fa2df7

commit 29a804f86af7076d99446b99184a780d33fa2df7
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-04-20 21:27:00 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-04-20 21:27:33 +0000

    dev-lang/ruby: stable 2.3.7 for ppc64, bug #651884
    
    Bug: https://bugs.gentoo.org/651884
    Package-Manager: Portage-2.3.28, Repoman-2.3.9
    RepoMan-Options: --include-arches="ppc64"

 dev-lang/ruby/ruby-2.3.7.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3c16067c7ee6fe1f5fd69767ebf2220e316ee057

commit 3c16067c7ee6fe1f5fd69767ebf2220e316ee057
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-04-20 21:26:53 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-04-20 21:27:33 +0000

    dev-lang/ruby: stable 2.2.10 for ppc64, bug #651884
    
    Bug: https://bugs.gentoo.org/651884
    Package-Manager: Portage-2.3.28, Repoman-2.3.9
    RepoMan-Options: --include-arches="ppc64"

 dev-lang/ruby/ruby-2.2.10.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)}
Comment 16 Matt Turner gentoo-dev 2018-04-22 19:18:18 UTC
hppa stable
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2018-05-07 16:16:57 UTC
CVE-2018-8780 (https://nvd.nist.gov/vuln/detail/CVE-2018-8780):
  In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before
  2.5.1, and 2.6.0-preview1, the Dir.open, Dir.new, Dir.entries and Dir.empty?
  methods do not check NULL characters. When using the corresponding method,
  unintentional directory traversal may be performed.

CVE-2018-8779 (https://nvd.nist.gov/vuln/detail/CVE-2018-8779):
  In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before
  2.5.1, and 2.6.0-preview1, the UNIXServer.open and UNIXSocket.open methods
  are not checked for null characters. It may be connected to an unintended
  socket.

CVE-2018-8778 (https://nvd.nist.gov/vuln/detail/CVE-2018-8778):
  In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before
  2.5.1, and 2.6.0-preview1, an attacker controlling the unpacking format
  (similar to format string vulnerabilities) can trigger a buffer under-read
  in the String#unpack method, resulting in a massive and controlled
  information disclosure.

CVE-2018-8777 (https://nvd.nist.gov/vuln/detail/CVE-2018-8777):
  In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before
  2.5.1, and 2.6.0-preview1, an attacker can pass a large HTTP request with a
  crafted header to WEBrick server or a crafted body to WEBrick server/handler
  and cause a denial of service (memory consumption).

CVE-2018-6914 (https://nvd.nist.gov/vuln/detail/CVE-2018-6914):
  Directory traversal vulnerability in the Dir.mktmpdir method in the tmpdir
  library in Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x
  before 2.5.1, and 2.6.0-preview1 might allow attackers to create arbitrary
  directories or files via a .. (dot dot) in the prefix argument.

CVE-2017-17742 (https://nvd.nist.gov/vuln/detail/CVE-2017-17742):
  Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before
  2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. An
  attacker can inject a crafted key and value into an HTTP response for the
  HTTP server of WEBrick.
Comment 18 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-05-27 11:29:40 UTC
ppc stable
Comment 19 Hans de Graaff gentoo-dev 2018-05-28 05:09:24 UTC
Vulnerable versions have been removed.
Comment 20 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-05-28 12:28:31 UTC
GLSA Vote: No

Thanks all,
Comment 21 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-06-14 16:03:41 UTC
re-opening.

=dev-lang/ruby-2.3.6 is still in the tree which is vulnerable.
Comment 22 Hans de Graaff gentoo-dev 2018-06-15 05:45:03 UTC
Cleanup now really done.
Comment 23 Michael Boyle 2018-06-24 04:22:32 UTC
Thank you guys.

Michael Boyle
Security Padawan