From: "npic1 (Nat Pic1)" Date: 2021-12-26T09:10:59+00:00 Subject: [ruby-core:106824] [Ruby master Bug#18431] Ruby 2.6.9, bundler 1.17.2 and CVE-2021-43809 Issue #18431 has been updated by npic1 (Nat Pic1). hsbt (Hiroshi SHIBATA) wrote in #note-1: > Bundler 1.x is EOL now. I have no plan to update it on Ruby 2.6. > > You can upgrade bundler with `gem update bundler`. I understand, but you should think that every system that will ship with ruby 2.6 will also ship a vulnerable bundler by default and CVE-2021-43809 has a 7.3 CVSS rating. Removing/upgrading the system bundler may be tricky. Ruby 2.6 is still in the security maintenance phase. Best ---------------------------------------- Bug #18431: Ruby 2.6.9, bundler 1.17.2 and CVE-2021-43809 https://bugs.ruby-lang.org/issues/18431#change-95635 * Author: npic1 (Nat Pic1) * Status: Closed * Priority: Normal * Assignee: hsbt (Hiroshi SHIBATA) * Backport: 2.6: UNKNOWN, 2.7: UNKNOWN, 3.0: UNKNOWN ---------------------------------------- Hi, Ruby 2.6.9 ships with bundler 1.17.2, which is affected by CVE-2021-43809. Is there a plan to upgrade it to resolve the issue? I saw that in the past, there was an upgrade and then a downgrade because of some issue: https://git.ruby-lang.org/ruby.git/commit/?id=91533d9ab17a08385381d87991e01e8674e069a1 Thanks a lot, Regards Nat -- https://bugs.ruby-lang.org/ Unsubscribe: