StarlingX

  1. Bug #1849195
  2. Comment #4

Comment 4 for bug 1849195

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/695775
Committed: https://git.openstack.org/cgit/starlingx/tools/commit/?id=ea25ae6f265f6a9531dd72a8576462a71c3074dc
Submitter: Zuul
Branch: master

commit ea25ae6f265f6a9531dd72a8576462a71c3074dc
Author: Jim Somerville <email address hidden>
Date: Fri Nov 22 16:35:45 2019 -0500

    Uprev ruby and associated gems to subminor ver 36

    All affected packages are moved forward to their -36 version.

    This solves:
    ruby: Unintentional directory traversal by poisoned NULL byte
    in Dir (CVE-2018-8780)
    rubygems: Improper verification of signatures in tarball
    allows to install mis-signed gem (CVE-2018-1000076)

    along with numerous other issues.

    See the announcement link:

    https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006124.html

    for more details.

    Note that rubygem-json is moved back to version 1.7.7-36 as it
    should never have been moved to 2.0.2-2 in the first place. That
    appears to have occurred accidentally, taking the package from
    opstools instead of os when moving to CentOS 7.6.

    Change-Id: I732a0ddba6e2aa5ebda0e10f6e633f60c162890c
    Closes-Bug: 1849195
    Closes-Bug: 1849203
    Signed-off-by: Jim Somerville <email address hidden>