New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update rubygems to 2.4.8 to mitigate CVE-2015-4020 #3030

Merged
merged 1 commit into from Jun 10, 2015

Conversation

Projects
None yet
4 participants
@haus
Contributor

haus commented Jun 9, 2015

CVE-2015-4020 was announced today. It is described here:
https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478.
The security vulnerability has been addressed in rubygems 2.4.8. As
jruby 1.7 has 2.4.6 included, this commit updates it to 2.4.8.

Update rubygems to 2.4.8 to mitigate CVE-2015-4020
CVE-2015-4020 was announced today. It is described here:
https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478.
The security vulnerability has been addressed in rubygems 2.4.8. As
jruby 1.7 has 2.4.6 included, this commit updates it to 2.4.8.
@ScottGarman

This comment has been minimized.

Show comment
Hide comment
@ScottGarman

ScottGarman commented Jun 9, 2015

👍

@haus

This comment has been minimized.

Show comment
Hide comment
@haus

haus Jun 9, 2015

Contributor

Side note: There seems to be some confusion between https://github.com/rubygems/rubygems/blob/2.4/History.txt#L5-L14 and https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478. The former references CVE-2015-3900, while the latter references CVE-2015-4020.

Contributor

haus commented Jun 9, 2015

Side note: There seems to be some confusion between https://github.com/rubygems/rubygems/blob/2.4/History.txt#L5-L14 and https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478. The former references CVE-2015-3900, while the latter references CVE-2015-4020.

@enebo

This comment has been minimized.

Show comment
Hide comment
@enebo

enebo Jun 10, 2015

Member

@haus Thanks for the PR. We plan on putting out a security release 1.7.20.1 in the next day or so. We were just waiting for 2.4.8 to drop and apparently it did :)

Member

enebo commented Jun 10, 2015

@haus Thanks for the PR. We plan on putting out a security release 1.7.20.1 in the next day or so. We were just waiting for 2.4.8 to drop and apparently it did :)

@haus

This comment has been minimized.

Show comment
Hide comment
@haus

haus Jun 10, 2015

Contributor

@enebo cool. sounds great.

Contributor

haus commented Jun 10, 2015

@enebo cool. sounds great.

enebo added a commit that referenced this pull request Jun 10, 2015

Merge pull request #3030 from haus/jruby-1_7
Update rubygems to 2.4.8 to mitigate CVE-2015-4020

@enebo enebo merged commit dc15103 into jruby:jruby-1_7 Jun 10, 2015

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@enebo

This comment has been minimized.

Show comment
Hide comment
@enebo

enebo Jun 10, 2015

Member

@haus I cherry-picked your commit for 1.7.20 and master and just now I merged to jruby-1_7 branch. Thanks for preparing the patch!

Member

enebo commented Jun 10, 2015

@haus I cherry-picked your commit for 1.7.20 and master and just now I merged to jruby-1_7 branch. Thanks for preparing the patch!

@enebo enebo added this to the JRuby 1.7.21 milestone Jun 10, 2015

@enebo enebo added the stdlib label Jun 10, 2015

@claudijd

This comment has been minimized.

Show comment
Hide comment
@claudijd

claudijd commented Jun 11, 2015

+1

@claudijd

This comment has been minimized.

Show comment
Hide comment
@claudijd

claudijd Jun 11, 2015

@haus To clarify on the confusion you mentioned above between RubyGems history and our Trustwave advisories...

The initial vulnerability was assigned CVE-2015-3900 and has this advisory (https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-007/?fid=6356)

After that advisory was released, we got more eyes on the fix and someone from our team discovered a bypass technique for it. We then requested an new CVE from MITRE (CVE-2015-4020) because the fixed versions will not be the same. We also issued a second advisory for this, which acknowledges the incomplete fix (https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478). It seems as though the second fix was not acknowledged in the history in RubyGems and was just referred to by the original CVE.

It's not a big deal, but hopefully this helps clarify the nuance.

claudijd commented Jun 11, 2015

@haus To clarify on the confusion you mentioned above between RubyGems history and our Trustwave advisories...

The initial vulnerability was assigned CVE-2015-3900 and has this advisory (https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-007/?fid=6356)

After that advisory was released, we got more eyes on the fix and someone from our team discovered a bypass technique for it. We then requested an new CVE from MITRE (CVE-2015-4020) because the fixed versions will not be the same. We also issued a second advisory for this, which acknowledges the incomplete fix (https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478). It seems as though the second fix was not acknowledged in the history in RubyGems and was just referred to by the original CVE.

It's not a big deal, but hopefully this helps clarify the nuance.

@claudijd

This comment has been minimized.

Show comment
Hide comment
@claudijd

claudijd Jun 11, 2015

Also, props to @enebo for a quick response to this! Thanks!

claudijd commented Jun 11, 2015

Also, props to @enebo for a quick response to this! Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment