From: naruse@... Date: 2018-03-19T08:27:16+00:00 Subject: [ruby-core:86194] [Ruby trunk Bug#14481] Backport request for RubyGems 2.7.6 Issue #14481 has been updated by naruse (Yui NARUSE). Backport changed from 2.3: DONE, 2.4: DONE, 2.5: REQUIRED to 2.3: DONE, 2.4: DONE, 2.5: DONE ruby_2_5 r62837 merged revision(s) 62244,62246,62301,62302,62303,62422,62436,62452. ---------------------------------------- Bug #14481: Backport request for RubyGems 2.7.6 https://bugs.ruby-lang.org/issues/14481#change-71091 * Author: hsbt (Hiroshi SHIBATA) * Status: Closed * Priority: Normal * Assignee: hsbt (Hiroshi SHIBATA) * Target version: * ruby -v: * Backport: 2.3: DONE, 2.4: DONE, 2.5: DONE ---------------------------------------- RubyGems 2.7.6 has been released. It contained the several vulnerability fixes. http://blog.rubygems.org/2018/02/15/2.7.6-released.html I created patches for all of the active branches of Ruby. ### rubygems-276-for-ruby25.patch This patch for upgrading RubyGems 2.7.3 to 2.7.6 and tiny changes for test-case. So, It includes following fixes: * https://github.com/rubygems/rubygems/pull/2189 * https://github.com/rubygems/rubygems/pull/2194 ### rubygems-276-for-ruby24.patch and rubygems-276-for-ruby23.patch These patches contained RubyGems 2.7.6 security fixes and [tempfile leak fixes](https://github.com/rubygems/rubygems/pull/2194). ### rubygems-276-for-ruby22.patch This patch fixed security vulnerabilities for RubyGems 2.7.6. But I removed patch for "Prevent path traversal when writing to a symlinked basedir outside of the root. Discovered by nmalkin, fixed by Jonathan Claudius and Samuel Giddins." (It was not assigned CVE number) Because to support packaging with symlink was provided after RubyGems 2.5. https://github.com/rubygems/rubygems/pull/1209 So, Ruby 2.2 contained RubyGems 2.4. It's affected by its vulnerability. To nalsh, nagachika, usa Please backport them. ---Files-------------------------------- rubygems-276-for-ruby25.patch (77.4 KB) rubygems-276-for-ruby24.patch (19.5 KB) rubygems-276-for-ruby23.patch (19.5 KB) rubygems-276-for-ruby22.patch (15.5 KB) -- https://bugs.ruby-lang.org/ Unsubscribe: