[DRE-commits] [ruby-hiera] 02/02: prepare wheezy security update for CVE-2014-3248

[Jonas Genannt]

This is an automated email from the git hooks/post-receive script.

hggh-guest pushed a commit to branch debian-wheezy
in repository ruby-hiera.

commit ca223218466a9dff95deeb153cf2e8d40dc98c65
Author: Jonas Genannt <jonas at brachium-system.net>
Date:   Tue Jun 10 22:05:11 2014 +0200

    prepare wheezy security update for CVE-2014-3248
---
 debian/changelog | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 16c4ec1..6af74c7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+ruby-hiera (1.0.0~rc3-1+deb7u1) wheezy-security; urgency=high
+
+  * The current directory ('.') is on the load path for Ruby 1.8.7.
+    This is a security vulnerability as it allows arbitrary code loading if
+    users create ruby source files with names that correspond to those that
+    hiera is trying to load.
+    .
+    The fix is to explicitly remove '.' from the load path before any code
+    is loaded by hiera. (CVE-2014-3248)
+
+ -- Jonas Genannt <jonas.genannt at capi2name.de>  Tue, 10 Jun 2014 21:44:52 +0200
+
 ruby-hiera (1.0.0~rc3-1) unstable; urgency=low
 
   * Initial release (Closes: #677875)

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-hiera.git