Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update rubygems to 2.4.8 to mitigate CVE-2015-4020 #3030

Merged
merged 1 commit into from
Jun 10, 2015
Merged

Update rubygems to 2.4.8 to mitigate CVE-2015-4020 #3030

merged 1 commit into from
Jun 10, 2015

Conversation

haus
Copy link
Contributor

@haus haus commented Jun 9, 2015

CVE-2015-4020 was announced today. It is described here:
https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478.
The security vulnerability has been addressed in rubygems 2.4.8. As
jruby 1.7 has 2.4.6 included, this commit updates it to 2.4.8.

CVE-2015-4020 was announced today. It is described here:
https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478.
The security vulnerability has been addressed in rubygems 2.4.8. As
jruby 1.7 has 2.4.6 included, this commit updates it to 2.4.8.
@ScottGarman
Copy link

👍

@haus
Copy link
Contributor Author

haus commented Jun 9, 2015

Side note: There seems to be some confusion between https://github.com/rubygems/rubygems/blob/2.4/History.txt#L5-L14 and https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478. The former references CVE-2015-3900, while the latter references CVE-2015-4020.

@enebo
Copy link
Member

enebo commented Jun 10, 2015

@haus Thanks for the PR. We plan on putting out a security release 1.7.20.1 in the next day or so. We were just waiting for 2.4.8 to drop and apparently it did :)

@haus
Copy link
Contributor Author

haus commented Jun 10, 2015

@enebo cool. sounds great.

enebo added a commit that referenced this pull request Jun 10, 2015
Update rubygems to 2.4.8 to mitigate CVE-2015-4020
@enebo enebo merged commit dc15103 into jruby:jruby-1_7 Jun 10, 2015
@enebo
Copy link
Member

enebo commented Jun 10, 2015

@haus I cherry-picked your commit for 1.7.20 and master and just now I merged to jruby-1_7 branch. Thanks for preparing the patch!

@enebo enebo added this to the JRuby 1.7.21 milestone Jun 10, 2015
@enebo enebo added the stdlib label Jun 10, 2015
@claudijd
Copy link

+1

@claudijd
Copy link

@haus To clarify on the confusion you mentioned above between RubyGems history and our Trustwave advisories...

The initial vulnerability was assigned CVE-2015-3900 and has this advisory (https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-007/?fid=6356)

After that advisory was released, we got more eyes on the fix and someone from our team discovered a bypass technique for it. We then requested an new CVE from MITRE (CVE-2015-4020) because the fixed versions will not be the same. We also issued a second advisory for this, which acknowledges the incomplete fix (https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478). It seems as though the second fix was not acknowledged in the history in RubyGems and was just referred to by the original CVE.

It's not a big deal, but hopefully this helps clarify the nuance.

@claudijd
Copy link

Also, props to @enebo for a quick response to this! Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants