| Summary: | ruby-RubyGems missing update for security issues CVE-2012-2125 and CVE-2012-2126 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | Funda Wang <fundawang> |
| Status: | RESOLVED OLD | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | fri, fundawang, qa-bugs |
| Version: | 2 | ||
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/495491/ | ||
| Whiteboard: | has_procedure | ||
| Source RPM: | ruby-RubyGems-1.7.2-3.mga2.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 6487 | ||
|
Description
David Walser
2013-02-13 17:11:15 CET
David Walser
2013-02-13 17:13:15 CET
Blocks:
(none) =>
6487 For some unknown reason Funda just rebuilt this, updating the advisory. Advisory: ======================== Updated ruby-RubyGems package fixes security vulnerabilities: This release increases the security used when RubyGems is talking to an https server. HTTPS connections no longer redirect to HTTP (CVE-2012-2125), and RubyGems will now verify that certificates are valid when making SSL connections (CVE-2012-2126). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2125 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2126 https://github.com/rubygems/rubygems/blob/1.8/History.txt http://lists.fedoraproject.org/pipermail/package-announce/2012-May/079454.html ======================== Updated packages in core/updates_testing: ======================== ruby-RubyGems-1.7.2-3.2.mga2 from ruby-RubyGems-1.7.2-3.2.mga2.src.rpm CC:
(none) =>
fundawang Adding feedback tag until chiliproject, redmine & teambox are updated Whiteboard:
has_procedure =>
has_procedure feedback Removing feedback marker. As per QA meeting this can be pushed once tested. Whiteboard:
has_procedure feedback =>
has_procedure Testing mga2 64
$ gem list
*** LOCAL GEMS ***
atk (1.0.3)
cairo (1.10.2)
gdk_pixbuf2 (1.0.3)
glib2 (1.0.3)
gtk2 (1.0.3)
msgpack (0.4.6)
pango (1.0.3)
pkg-config (1.1.0)
$ gem list --both a
*** LOCAL GEMS ***
atk (1.0.3)
*** REMOTE GEMS ***
a (0.1.1)
a-gem (0.0.2)
a2_printer (0.1.0)
<snip>
azul (0.0.1)
azure (0.1.1)
$ gem install azure
Fetching: systemu-2.5.2.gem (100%)
ERROR: While executing gem ... (Gem::FilePermissionError)
You don't have write permissions into the /usr/lib/ruby/gems/1.8 directory.
$ su -
Password:
# gem install azure
Fetching: systemu-2.5.2.gem (100%)
Fetching: macaddr-1.6.1.gem (100%)
Fetching: uuid-2.3.7.gem (100%)
Fetching: libxml-ruby-2.3.3.gem (100%)
Building native extensions. This could take a while...
ERROR: Error installing azure:
ERROR: Failed to build gem native extension.
/usr/bin/ruby extconf.rb
mkmf.rb can't find header files for ruby at /usr/lib/ruby/ruby.h
Gem files will remain installed in /usr/lib/ruby/gems/1.8/gems/libxml-ruby-2.3.3 for inspection.
Results logged to /usr/lib/ruby/gems/1.8/gems/libxml-ruby-2.3.3/ext/libxml/gem_make.out
# urpmi ruby-devel
# gem install azure
Building native extensions. This could take a while...
Fetching: ratom-0.7.2.gem (100%)
Fetching: nokogiri-1.5.6.gem (100%)
Building native extensions. This could take a while...
ERROR: Error installing azure:
ERROR: Failed to build gem native extension.
/usr/bin/ruby extconf.rb
checking for libxml/parser.h... yes
checking for libxslt/xslt.h... no
-----
libxslt is missing. please visit http://nokogiri.org/tutorials/installing_nokogiri.html for help with installing dependencies.
-----
etc.
# gem uninstall libxml-ruby macaddr ratom systemu uuid
You have requested to uninstall the gem:
libxml-ruby-2.3.3
ratom-0.7.2 depends on [libxml-ruby (~> 2.3.2)]
If you remove this gems, one or more dependencies will not be met.
Continue with Uninstall? [Yn] y
Successfully uninstalled libxml-ruby-2.3.3
You have requested to uninstall the gem:
macaddr-1.6.1
uuid-2.3.7 depends on [macaddr (~> 1.0)]
If you remove this gems, one or more dependencies will not be met.
Continue with Uninstall? [Yn] y
Successfully uninstalled macaddr-1.6.1
Successfully uninstalled ratom-0.7.2
Successfully uninstalled systemu-2.5.2
Remove executables:
uuid
in addition to the gem? [Yn] y
Removing uuid
Successfully uninstalled uuid-2.3.7
Azure was a bad one to choose, it fails missing lib64xslt, possibly -devel but it shows that ruby-RubyGems is maybe missing a require on ruby-devel.
# rpm -q ruby-RubyGems
ruby-RubyGems-1.7.2-3.2.mga2
Adding feedback marker again :DWhiteboard:
has_procedure =>
has_procedure feedback Yep, Funda had some issues with RubyGems when trying to do the security update for ruby-rdoc (Bug 9081), so this package probably needs another update. Assigning Funda until this is ready. Please reassign to QA when you've had a chance to look Thanks CC:
(none) =>
qa-bugs Side question: will ChiliProject appear in mga3? (No problem, i installed Redmine now instead (which ChiliProject forked from), just curoious. CC:
(none) =>
fri (In reply to Morgan Leijström from comment #8) > Side question: will ChiliProject appear in mga3? > (No problem, i installed Redmine now instead (which ChiliProject forked > from), just curoious. File a bug and request it. Thomas Spuhler fixed it right after Cauldron opened. Since it was in Mageia 2, it can be reintroduced in Mageia 3 as an update. Closing this now due to Mageia 2 EOL. http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/ Status:
NEW =>
RESOLVED |