Mandriva issued this advisory on May 23: http://lists.mandriva.com/security-announce/2011-05/msg00022.php It is not totally clear which versions of Ruby are vulnerable to these, but our Ruby package is from February 20. The other two CVEs are fixed in p334.
Hi, thanks for reporting this bug. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it)
Keywords: (none) => TriagedCC: (none) => pterjan
Assignee: bugsquad => pterjan
Ping ?
CC: (none) => shikamaru
CVE-2010-0541 is very old and was fixed in Ruby 1.8.7-p299 CVE-2011-0188 was fixed upstream by http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/ext/bigdecimal/bigdecimal.c?r1=29364&r2=30993&view=patch Backport by Debian for easy inclusion in the package: http://patch-tracker.debian.org/patch/series/view/ruby1.8/1.8.7.352-2/110703_CVE-2011-0188.patch
Merged with bug #4031 *** This bug has been marked as a duplicate of bug 4031 ***
Status: NEW => RESOLVEDResolution: (none) => DUPLICATE