[3.9] ruby: Multiple vulnerabilities (CVE-2019-8320, CVE-2019-8321, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324, CVE-2019-8325) (#10287) · Issues · alpine / aports

[3.9] ruby: Multiple vulnerabilities (CVE-2019-8320, CVE-2019-8321, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324, CVE-2019-8325)

CVE-2019-8320: Delete directory using symlink when decompressing tar
CVE-2019-8321: Escape sequence injection vulnerability in verbose
CVE-2019-8322: Escape sequence injection vulnerability in gem owner
CVE-2019-8323: Escape sequence injection vulnerability in API response handling
CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
CVE-2019-8325: Escape sequence injection vulnerability in errors

Affected Versions:

Ruby 2.4 series: 2.4.5 and earlier
Ruby 2.5 series: 2.5.3 and earlier

Reference:

https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/

Patches:

https://bugs.ruby-lang.org/attachments/7669 (for Ruby 2.4.5)
https://bugs.ruby-lang.org/attachments/7670 (for Ruby 2.5.3)

(from redmine: issue id 10287, created on 2019-04-18, closed on 2019-05-06)

Relations:
- parent #10286 (closed)
Changesets:
- Revision 58244868 by Natanael Copa on 2019-05-06T17:40:49Z:

main/ruby: security upgrade to 2.5.5

- CVE-2019-8320
- CVE-2019-8321
- CVE-2019-8322
- CVE-2019-8323
- CVE-2019-8324
- CVE-2019-8325

fixes #10287

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information