[DRE-commits] [ruby-hiera] 01/02: wheezy stable update: CVE-2014-3248
Jonas Genannt
jonas at brachium-system.net
Tue Jun 10 20:07:02 UTC 2014
This is an automated email from the git hooks/post-receive script.
hggh-guest pushed a commit to branch debian-wheezy
in repository ruby-hiera.
commit c4d3dc72b2471b061ddfb64964a3acbd5ad8dddb
Author: Jonas Genannt <jonas at brachium-system.net>
Date: Tue Jun 10 21:44:32 2014 +0200
wheezy stable update: CVE-2014-3248
---
debian/patches/CVE-2014-3248.patch | 17 +++++++++++++++++
debian/patches/series | 1 +
2 files changed, 18 insertions(+)
diff --git a/debian/patches/CVE-2014-3248.patch b/debian/patches/CVE-2014-3248.patch
new file mode 100644
index 0000000..459326d
--- /dev/null
+++ b/debian/patches/CVE-2014-3248.patch
@@ -0,0 +1,17 @@
+Subject: [PATCH] (HI-238) Remove current directory from Ruby load path. (CVE-2014-3248)
+Author: Peter Huene <peter.huene at puppetlabs.com>
+Date: Wed, 7 May 2014 11:07:58 -0700
+Origin: https://github.com/puppetlabs/hiera/commit/5b71548ca9ea9ced460b2970c3e8fb483b495806
+
+--- a/bin/hiera
++++ b/bin/hiera
+@@ -1,5 +1,9 @@
+ #!/usr/bin/env ruby
+
++# For security reasons, ensure that '.' is not on the load path
++# This is primarily for 1.8.7 since 1.9.2+ doesn't put '.' on the load path
++$LOAD_PATH.delete '.'
++
+ # CLI client for Hiera.
+ #
+ # To lookup the 'release' key for a node given Puppet YAML facts:
diff --git a/debian/patches/series b/debian/patches/series
index 281b00c..2be140d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
dont-require-rubygems
+CVE-2014-3248.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-hiera.git
More information about the Pkg-ruby-extras-commits
mailing list