On Sat, Oct 29, 2016 at 09:27:25PM +0200, Salvatore Bonaccorso wrote:
> Package: bundler
> Version: 1.7.4-1
> Severity: important
> Tags: security upstream
>
> Hi,
>
> the following vulnerability was published for bundler.
>
> CVE-2016-7954[0]:
> code execution via gem name collission in bundler
>
> Please correct me if I'm wrong. As far I understand, this issue cannot
> be fixed within the 1.x series due to lockfile format. This bug is to
> continue tracking the CVE in the Debian BTS.
JFTR; Bundler 2 was relased in early January.
Cheers,
Moritz
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
