Bug 4000

Summary: ruby possibly missing security update for CVE-2010-0541 and CVE-2011-0188
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Pascal Terjan <pterjan>
Status: RESOLVED DUPLICATE QA Contact:
Severity: normal    
Priority: Normal CC: pterjan, shikamaru
Version: 1Keywords: Triaged
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard:
Source RPM: ruby-1.8.7.p334-1.mga1.src.rpm CVE:
Status comment:

Description David Walser 2012-01-01 21:55:57 CET 
Mandriva issued this advisory on May 23:
http://lists.mandriva.com/security-announce/2011-05/msg00022.php

It is not totally clear which versions of Ruby are vulnerable to these, but our Ruby package is from February 20.  The other two CVEs are fixed in p334.
Comment 1 Manuel Hiebel 2012-01-01 23:14:35 CET 
Hi, thanks for reporting this bug.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

Keywords: (none) => Triaged
CC: (none) => pterjan

Manuel Hiebel 2012-01-02 00:14:12 CET

Assignee: bugsquad => pterjan

Comment 2 Manuel Hiebel 2012-01-16 17:05:35 CET 
Ping ?

CC: (none) => shikamaru

Comment 3 Manuel Hiebel 2012-02-01 11:44:42 CET 
Ping ?
Comment 4 Pascal Terjan 2012-02-12 20:42:47 CET 
CVE-2010-0541 is very old and was fixed in Ruby 1.8.7-p299

CVE-2011-0188 was fixed upstream by http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/ext/bigdecimal/bigdecimal.c?r1=29364&r2=30993&view=patch

Backport by Debian for easy inclusion in the package: http://patch-tracker.debian.org/patch/series/view/ruby1.8/1.8.7.352-2/110703_CVE-2011-0188.patch
Comment 5 Pascal Terjan 2012-02-13 00:32:38 CET 
Merged with bug #4031

*** This bug has been marked as a duplicate of bug 4031 ***

Status: NEW => RESOLVED
Resolution: (none) => DUPLICATE