Date: Thu, 26 Mar 2020 04:40:23 +0000 (UTC) From: Koichiro Iwao <meta@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r529161 - head/security/vuxml Message-ID: <202003260440.02Q4eN1A045844@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: meta Date: Thu Mar 26 04:40:22 2020 New Revision: 529161 URL: https://svnweb.freebsd.org/changeset/ports/529161 Log: security/vuxml: Document CVE-2020-10663 (devel/rubygem-json) PR: 245023 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Mar 26 00:35:12 2020 (r529160) +++ head/security/vuxml/vuln.xml Thu Mar 26 04:40:22 2020 (r529161) @@ -58,6 +58,46 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="40194e1c-6d89-11ea-8082-80ee73419af3"> + <topic>rubygem-json -- Unsafe Objection Creation Vulnerability in JSON (Additional fix)</topic> + <affects> + <package> + <name>rubygem-json</name> + <range><le>2.3.0</le></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <blockquote cite="https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/"> + <p>When parsing certain JSON documents, the json gem (including the + one bundled with Ruby) can be coerced into creating arbitrary objects + in the target system.</p> + <p>This is the same issue as CVE-2013-0269. The previous fix was incomplete, + which addressed JSON.parse(user_input), but didn’t address some other + styles of JSON parsing including JSON(user_input) and + JSON.parse(user_input, nil).</p> + <p>See CVE-2013-0269 in detail. Note that the issue was exploitable to + cause a Denial of Service by creating many garbage-uncollectable + Symbol objects, but this kind of attack is no longer valid because + Symbol objects are now garbage-collectable. However, creating arbitrary + bjects may cause severe security consequences depending upon the + application code.</p> + <p>Please update the json gem to version 2.3.0 or later. You can use + gem update json to update it. If you are using bundler, please add + gem "json", ">= 2.3.0" to your Gemfile.</p> + </blockquote> + </body> + </description> + <references> + <url>https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/</url> + <cvename>CVE-2020-10663</cvename> + </references> + <dates> + <discovery>2020-03-19</discovery> + <entry>2020-03-26</entry> + </dates> + </vuln> + <vuln vid="5bf6ed6d-9002-4f43-ad63-458f59e45384"> <topic>jenkins -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202003260440.02Q4eN1A045844>