Add Ruby CVE 2018-16395 (#358)

[transoceanic2000]

This PR adds CVE 2018-16395 impacting Ruby.

Note that no new preview release of Ruby 2.6.0 has been announced so don't believe there is a patched version that can be indicated at this time.

[peterkeen]

Is it possible to express the openssl gem workaround as solving this CVE? I don't know if I can update Ruby but I can definitely update openssl. Also, it appears that openssl 2.1.2 hasn't actually been released yet.

[transoceanic2000]

I don't think there's a way to express that in this file - and it looks like previous issues with OpenSSL are raised against ruby and we don't have OpenSSL as a separate gem that we could record it against.

[transoceanic2000]

I've added a note about the "upgrade openssl gem separately" workaround from the announcement.

[kuahyeow]

Oddly https://rubygems.org/gems/openssl does not have 2.1.2 published

…

On Thu, 18 Oct 2018 at 10:56, Bruce ***@***.***> wrote: I've added a note about the "upgrade openssl gem separately" workaround from the announcement. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#359 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AABBU5uC3_m7cJ8F99Z4SIw4Ed5rZOCWks5ul6d6gaJpZM4Xo9L7> .

-- Best regards, Thong Kuah https://kuahyeow.com

[transoceanic2000]

Indeed, and no sign in their GitHub of one being about to be created either. Should we take the workaround note out (people can find it from the announcement that we'll be pointing them to anyway)?

[kuahyeow]

ruby/openssl#226 is the issue to track about that one. I concur about removing the workaround note. It can be put back once an upgraded gem is released.

…

On Thu, 18 Oct 2018 at 11:04, Bruce ***@***.***> wrote: Indeed, and no sign in their GitHub of one being about to be created either. Should we take the workaround note out (people can find it from the announcement that we'll be pointing them to anyway)? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#359 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AABBU-nrMruOl9VnQzfkUT-rYTTbbCKRks5ul6lVgaJpZM4Xo9L7> .

-- Best regards, Thong Kuah https://kuahyeow.com

[transoceanic2000]

I've updated the workaround text to reflect current situation.

Request review/merge.

[transoceanic2000]

@reedloden also please could you look at this one and merge if happy - I've re-added the workaround text in the description now that openssl v2.1.2 has been released (I've checked it's visible on rubygems.org).

[reedloden]

Thank you so much! :-)