From: "usa (Usaku NAKAMURA)" <usa@...>
Date: 2013-12-22T14:10:55+09:00
Subject: [ruby-core:59265] [Backport93 - Backport #9193][Closed] ruby	1.9.3-p484 still vulnerable to CVE-2013-4287 and	CVE-2013-4363 in included rubygems 1.8.23


Issue #9193 has been updated by usa (Usaku NAKAMURA).

Status changed from Assigned to Closed


----------------------------------------
Backport #9193: ruby 1.9.3-p484 still vulnerable to CVE-2013-4287 and CVE-2013-4363 in included rubygems 1.8.23
https://bugs.ruby-lang.org/issues/9193#change-43823

Author: jeremyevans0 (Jeremy Evans)
Status: Closed
Priority: High
Assignee: usa (Usaku NAKAMURA)
Category: 
Target version: 


It appears that ruby 2.0.0-p353 included an update to rubygems 2.0.10 which fixes CVE-2013-4287 and CVE-2013-4363. ruby 1.9.3-p484 did not contain an update to the included rubygems, so it is still vulnerable. ruby 1.9.3 should either be updated to use rubygems 1.8.27 or 1.8.28, or the attached patch should be applied to fix the two CVEs.


-- 
http://bugs.ruby-lang.org/