[DRE-commits] [ruby-hiera] 02/02: prepare wheezy security update for CVE-2014-3248
Jonas Genannt
jonas at brachium-system.net
Tue Jun 10 20:07:02 UTC 2014
This is an automated email from the git hooks/post-receive script.
hggh-guest pushed a commit to branch debian-wheezy
in repository ruby-hiera.
commit ca223218466a9dff95deeb153cf2e8d40dc98c65
Author: Jonas Genannt <jonas at brachium-system.net>
Date: Tue Jun 10 22:05:11 2014 +0200
prepare wheezy security update for CVE-2014-3248
---
debian/changelog | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 16c4ec1..6af74c7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+ruby-hiera (1.0.0~rc3-1+deb7u1) wheezy-security; urgency=high
+
+ * The current directory ('.') is on the load path for Ruby 1.8.7.
+ This is a security vulnerability as it allows arbitrary code loading if
+ users create ruby source files with names that correspond to those that
+ hiera is trying to load.
+ .
+ The fix is to explicitly remove '.' from the load path before any code
+ is loaded by hiera. (CVE-2014-3248)
+
+ -- Jonas Genannt <jonas.genannt at capi2name.de> Tue, 10 Jun 2014 21:44:52 +0200
+
ruby-hiera (1.0.0~rc3-1) unstable; urgency=low
* Initial release (Closes: #677875)
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-hiera.git
More information about the Pkg-ruby-extras-commits
mailing list