Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
Update rubygems to 2.4.8 to mitigate CVE-2015-4020 #3030
CVE-2015-4020 was announced today. It is described here:
CVE-2015-4020 was announced today. It is described here: https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478. The security vulnerability has been addressed in rubygems 2.4.8. As jruby 1.7 has 2.4.6 included, this commit updates it to 2.4.8.
Side note: There seems to be some confusion between https://github.com/rubygems/rubygems/blob/2.4/History.txt#L5-L14 and https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478. The former references CVE-2015-3900, while the latter references CVE-2015-4020.
@haus To clarify on the confusion you mentioned above between RubyGems history and our Trustwave advisories...
The initial vulnerability was assigned CVE-2015-3900 and has this advisory (https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-007/?fid=6356)
After that advisory was released, we got more eyes on the fix and someone from our team discovered a bypass technique for it. We then requested an new CVE from MITRE (CVE-2015-4020) because the fixed versions will not be the same. We also issued a second advisory for this, which acknowledges the incomplete fix (https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478). It seems as though the second fix was not acknowledged in the history in RubyGems and was just referred to by the original CVE.
It's not a big deal, but hopefully this helps clarify the nuance.