El 10/04/18 a las 17:59, Brian May escribió: > Hello Santiago, > > Just wondering if there was any reason for not fixing CVE-2018-1000074 > in DLA 1336-1?
Hi Brian, As I said in a previous mail, I think it is a not-so-severe issue (the user has to run the `gem owner` command for being exploitable), *and* I found it too intrusive to be backported to versions <= 2.2. I.e. it depends on a version of ruby's Psych that includes safe_load and all the functions it depends on. It is to note that, AFAICS, upstream did not included this fix in the patch for ruby 2.2 that relates to the rubygems CVEs: https://bugs.ruby-lang.org/attachments/download/7030/rubygems-276-for-ruby22.patch I think it is a similar case for CVE-2018-1000079. I'd like security-team's opinion before tagging them as no-dsa. Please, tell me if you have a different opinion. Regards, S
signature.asc
Description: PGP signature