Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rubygems: 2.6.10 -> 2.6.13 #29102

Merged
merged 2 commits into from Sep 8, 2017
Merged

rubygems: 2.6.10 -> 2.6.13 #29102

merged 2 commits into from Sep 8, 2017

Conversation

peterhoeg
Copy link
Member

Motivation for this change

A bunch of nasty CVEs: https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/

I haven't run nox-review wip as it causes quite a lot of packages to be rebuilt but I did compile all versions of ruby. Do we push something like this to staging first?

Cc: @grahamc

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • Linux
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

@peterhoeg
ruby: boy scout cleanups
01a6878
@peterhoeg
rubygems: 2.6.10 -> 2.6.13
9f51b3c 
Fixes a number of CVEs:

- a DNS request hijacking vulnerability. (CVE-2017-0902)
- an ANSI escape sequence vulnerability. (CVE-2017-0899)
- a DoS vulnerability in the query command. (CVE-2017-0900)
- a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files. (CVE-2017-0901)
@mention-bot
Copy link

@peterhoeg, thanks for your PR! By analyzing the history of the files in this pull request, we identified @zimbatm, @andrzejtrzaska and @pikajude to be potential reviewers.

@Mic92 Mic92 merged commit 9897303 into NixOS:master Sep 8, 2017
@Mic92
Copy link
Member

Mic92 commented Sep 8, 2017
edited

No, staging is not needed here.. Let's get this quickly in stable as well.

@peterhoeg peterhoeg deleted the f/gems branch September 18, 2017 07:42
@peterhoeg peterhoeg restored the f/gems branch September 18, 2017 11:45
@peterhoeg peterhoeg deleted the f/gems branch September 26, 2017 10:03
@peterhoeg peterhoeg restored the f/gems branch September 26, 2017 12:47
@peterhoeg peterhoeg deleted the f/gems branch September 29, 2017 00:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
1.severity: security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@peterhoeg @mention-bot @Mic92