1
PublicDateAtUSN: 2017-08-31
2
Candidate: CVE-2017-0902
5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0902
6
https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/
7
http://blog.rubygems.org/2017/08/27/2.6.13-released.html
8
https://hackerone.com/reports/218088
9
https://usn.ubuntu.com/usn/usn-3553-1
10
https://usn.ubuntu.com/usn/usn-3685-1
12
RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking
13
vulnerability that allows a MITM attacker to force the RubyGems client to
14
download and install gems from a server that the attacker controls.
17
tyhicks> ruby{1.9.1,2.0,2.3} and jruby ship an embedded rubygems.
18
leosilva> code not present in trusty for version 1.9.1
20
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873802
26
upstream: https://github.com/rubygems/rubygems/commit/8d91516fb7037ecfb27622f605dc40245e0f8d32
27
upstream: https://bugs.ruby-lang.org/attachments/download/6691/rubygems-2613-ruby23.patch
28
upstream: https://bugs.ruby-lang.org/attachments/download/6690/rubygems-2613-ruby22.patch
29
upstream_ruby1.9.1: needs-triage
30
precise/esm_ruby1.9.1: DNE
31
trusty_ruby1.9.1: not-affected (code not present)
32
vivid/ubuntu-core_ruby1.9.1: DNE
40
upstream_ruby2.0: needs-triage
41
precise/esm_ruby2.0: DNE
42
trusty_ruby2.0: released (2.0.0.484-1ubuntu2.10)
43
vivid/ubuntu-core_ruby2.0: DNE
51
upstream_ruby2.3: needs-triage
52
precise/esm_ruby2.3: DNE
54
vivid/ubuntu-core_ruby2.3: DNE
55
xenial_ruby2.3: released (2.3.1-2~16.04.6)
56
zesty_ruby2.3: ignored (reached end-of-life)
57
artful_ruby2.3: released (2.3.3-1ubuntu1.3)
62
upstream_jruby: needs-triage
63
precise/esm_jruby: DNE
65
vivid/ubuntu-core_jruby: DNE
67
zesty_jruby: ignored (reached end-of-life)