Skip to content

Update rubygems to 2.4.8 to mitigate CVE-2015-4020#3030

Merged
enebo merged 1 commit intojruby:jruby-1_7from
haus:jruby-1_7
Jun 10, 2015
Merged

Update rubygems to 2.4.8 to mitigate CVE-2015-4020#3030
enebo merged 1 commit intojruby:jruby-1_7from
haus:jruby-1_7

Conversation

@haus
Copy link
Contributor

@haus haus commented Jun 9, 2015

CVE-2015-4020 was announced today. It is described here:
https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478.
The security vulnerability has been addressed in rubygems 2.4.8. As
jruby 1.7 has 2.4.6 included, this commit updates it to 2.4.8.

@haus
Update rubygems to 2.4.8 to mitigate CVE-2015-4020
b1cf616 
CVE-2015-4020 was announced today. It is described here:
https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478.
The security vulnerability has been addressed in rubygems 2.4.8. As
jruby 1.7 has 2.4.6 included, this commit updates it to 2.4.8.
@ScottGarman
Copy link

ScottGarman commented Jun 9, 2015

👍

@haus
Copy link
Contributor Author

haus commented Jun 9, 2015

Side note: There seems to be some confusion between https://github.com/rubygems/rubygems/blob/2.4/History.txt#L5-L14 and https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478. The former references CVE-2015-3900, while the latter references CVE-2015-4020.

@enebo
Copy link
Member

enebo commented Jun 10, 2015

@haus Thanks for the PR. We plan on putting out a security release 1.7.20.1 in the next day or so. We were just waiting for 2.4.8 to drop and apparently it did :)

@haus
Copy link
Contributor Author

haus commented Jun 10, 2015

@enebo cool. sounds great.

enebo added a commit that referenced this pull request Jun 10, 2015
@enebo
Merge pull request #3030 from haus/jruby-1_7
dc15103 
Update rubygems to 2.4.8 to mitigate CVE-2015-4020
@enebo enebo merged commit dc15103 into jruby:jruby-1_7 Jun 10, 2015
@enebo
Copy link
Member

enebo commented Jun 10, 2015

@haus I cherry-picked your commit for 1.7.20 and master and just now I merged to jruby-1_7 branch. Thanks for preparing the patch!

@enebo enebo added this to the JRuby 1.7.21 milestone Jun 10, 2015
@enebo enebo added the stdlib label Jun 10, 2015
@claudijd
Copy link

claudijd commented Jun 11, 2015

+1

@claudijd
Copy link

claudijd commented Jun 11, 2015

@haus To clarify on the confusion you mentioned above between RubyGems history and our Trustwave advisories...

The initial vulnerability was assigned CVE-2015-3900 and has this advisory (https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-007/?fid=6356)

After that advisory was released, we got more eyes on the fix and someone from our team discovered a bypass technique for it. We then requested an new CVE from MITRE (CVE-2015-4020) because the fixed versions will not be the same. We also issued a second advisory for this, which acknowledges the incomplete fix (https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478). It seems as though the second fix was not acknowledged in the history in RubyGems and was just referred to by the original CVE.

It's not a big deal, but hopefully this helps clarify the nuance.

@claudijd
Copy link

claudijd commented Jun 11, 2015

Also, props to @enebo for a quick response to this! Thanks!

@mprins mprins mentioned this pull request Jun 11, 2015
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

stdlib

Projects

None yet

Milestone

JRuby 1.7.21

Development

Successfully merging this pull request may close these issues.

4 participants

@haus @ScottGarman @enebo @claudijd