[Git][security-tracker-team/security-tracker][master] Conclusion for jessie regarding CVE-2020-10663. The package ruby-json should...

Ola Lundqvist Mon, 27 Apr 2020 13:23:10 -0700


Ola Lundqvist pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
dd0cff64 by Ola Lundqvist at 2020-04-27T22:22:05+02:00
Conclusion for jessie regarding CVE-2020-10663. The package ruby-json should be 
fixed since the code is clearly vulnerable and it looks like a rather serious 
problem. Ruby version 2.1 is not vulnerable since it does not have this piece 
of code. Marked this without any jessis specific tag since 2.1 is only in 
jessie and therefore does not affect any other release.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -5091,7 +5091,7 @@ CVE-2020-10663 [Unsafe Object Creation Vulnerability in 
JSON (Additional fix to
        - ruby2.7 <not-affected> (Fixed before initial upload to Debian)
        - ruby2.5 <unfixed>
        - ruby2.3 <removed>
-       - ruby2.1 <removed>
+       - ruby2.1 <not-affected> (Vulnerable source not in this source package)
        NOTE: 
https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
        NOTE: https://hackerone.com/reports/706934
        NOTE: 
https://github.com/ruby/ruby/commit/36e9ed7fef6eb2d14becf6c52452e4ab16e4bf01 
(2.6.6)


=====================================
data/dla-needed.txt
=====================================
@@ -86,6 +86,8 @@ php5 (Thorsten Alteholz)
 --
 qemu (Adrian Bunk)
 --
+ruby-json
+--
 ruby-rack
   NOTE: 20191219: The security update causes a regression and also, there's a
   NOTE: slight possibility of this patch inducing a backdoor on its own. 
(utkarsh2102)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd0cff642a311169a1dc77a777801699939c4e6d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd0cff642a311169a1dc77a777801699939c4e6d
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Conclusion for jessie regarding CVE-2020-10663. The package ruby-json should...

Reply via email to