CVE-2018-1000076
status : fixed
cvss2Score : 7.5
Attack Vector: N
Access Complexity : L
Autentication: N
Availability Impact :P
Affected packages:
['ruby', 'ruby-irb', 'ruby-libs', 'rubygem-bigdecimal', 'rubygem-io-console', 'rubygem-psych', 'rubygem-rdoc', 'rubygems']
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.. This vulnerability appears to have been fixed in 2.7.6.
https://nvd.nist.gov/vuln/detail/CVE-2018-1000076
This CVE meets the fix criteria for StarlingX. Therefore, it needs to be fixed in master for stx.3.0 and then cherry-picked to r/stx.2.0.