[3.11, 3.12, 3.13] main/ruby-bundler: vulnerable to CVE-2020-36327
Hello,
The security team is not certain what the best way to fix this issue is, due to lack of familiarity with the Ruby ecosystem. So, I am opening this bug to allow somebody with more experience in the Ruby ecosystem to help find a mitigation. Specifically, we do not know what effect upgrading Bundler would have for users using it in production.
Description
Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application.
Affected Branches
-
3.11-stable ( 2.0.2-r1
) -
3.12-stable ( 2.1.4-r1
) -
3.13-stable ( 2.2.2-r0
)
Please fix according to what you think is appropriate, and then record the appropriate secfixes entries in the APKBUILD. Thanks!