jRuby 9.0.0.0+ affected by CVE-2014-4043 #3379
Labels
Milestone
Comments
|
Someone reported this as a bug in Kernel#spawn the other day, and we figured out that it was a glibc bug. Was that you? This is good to note but I'm not sure how we pass this along. Perhaps in the 9.0.2.0 release notes we mention it and recommend glibc updates? |
|
@headius Yes, that was me 👍 Agreed, it hardly seemed like the proper place to report this, as it isn't really an issue to be fixed in jRuby. |
|
Yeah, release notes don't seem quite right either since this affects any JRuby 9k release -- past, present, and future -- on a system without glibc. Perhaps best we can do is tweet + email and these bugs. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This vulnerability (detailed here) causes problems with Kernel#spawn when the options hash is used to redirect the default file descriptors for the child process. This does not occur in MRI, presumably because it is actually FFI that is causing the issue (which MRI doesn't need to make system calls). I don't believe any action can be taken by the jRuby team to resolve this, as the issue is caused by a vulnerability in glibc versions prior to 2.20. Any users suffering from this problem should update glibc to 2.20+.
The text was updated successfully, but these errors were encountered: