commit ea25ae6f265f6a9531dd72a8576462a71c3074dc
Author: Jim Somerville <email address hidden>
Date: Fri Nov 22 16:35:45 2019 -0500
Uprev ruby and associated gems to subminor ver 36
All affected packages are moved forward to their -36 version.
This solves:
ruby: Unintentional directory traversal by poisoned NULL byte
in Dir (CVE-2018-8780)
rubygems: Improper verification of signatures in tarball
allows to install mis-signed gem (CVE-2018-1000076)
Note that rubygem-json is moved back to version 1.7.7-36 as it
should never have been moved to 2.0.2-2 in the first place. That
appears to have occurred accidentally, taking the package from
opstools instead of os when moving to CentOS 7.6.
Reviewed: https:/ /review. opendev. org/695775 /git.openstack. org/cgit/ starlingx/ tools/commit/ ?id=ea25ae6f265 f6a9531dd72a857 6462a71c3074dc
Committed: https:/
Submitter: Zuul
Branch: master
commit ea25ae6f265f6a9 531dd72a8576462 a71c3074dc
Author: Jim Somerville <email address hidden>
Date: Fri Nov 22 16:35:45 2019 -0500
Uprev ruby and associated gems to subminor ver 36
All affected packages are moved forward to their -36 version.
This solves:
ruby: Unintentional directory traversal by poisoned NULL byte
in Dir (CVE-2018-8780)
rubygems: Improper verification of signatures in tarball
allows to install mis-signed gem (CVE-2018-1000076)
along with numerous other issues.
See the announcement link:
https:/ /lists. centos. org/pipermail/ centos- cr-announce/ 2019-August/ 006124. html
for more details.
Note that rubygem-json is moved back to version 1.7.7-36 as it
should never have been moved to 2.0.2-2 in the first place. That
appears to have occurred accidentally, taking the package from
opstools instead of os when moving to CentOS 7.6.
Change-Id: I732a0ddba6e2aa 5ebda0e10f6e633 f60c162890c
Closes-Bug: 1849195
Closes-Bug: 1849203
Signed-off-by: Jim Somerville <email address hidden>