The attached gzip patch should fix reported security issues in rubygems
for all in-tree ruby versions. It was 60KB before being gzipped.
Rubygems security announcement:
http://blog.rubygems.org/2017/08/27/2.6.13-released.html
Ruby security announcement, containing patch files that were used for
ruby 2.2, 2.3, and 2.4:
https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/
The ruby 2.2 patch applied to ruby 2.1, so it was used as is. I
manually backported the ruby 2.2 patch to ruby 1.8 (where rubygems
uses the separate devel/ruby-gems port). For JRuby, the ruby 2.4
patch was used directly.
I'm not going to have time to do sufficient testing of this until
the weekend, so if anyone else wants to try it out, please do so
and provide feedback.
Thanks,
Jeremy
No comments:
Post a Comment