svn commit: r529161 - head/security/vuxml
Koichiro Iwao
meta at FreeBSD.org
Thu Mar 26 04:40:49 UTC 2020
Author: meta
Date: Thu Mar 26 04:40:22 2020
New Revision: 529161
URL: https://svnweb.freebsd.org/changeset/ports/529161
Log:
security/vuxml: Document CVE-2020-10663 (devel/rubygem-json)
PR: 245023
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Thu Mar 26 00:35:12 2020 (r529160)
+++ head/security/vuxml/vuln.xml Thu Mar 26 04:40:22 2020 (r529161)
@@ -58,6 +58,46 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="40194e1c-6d89-11ea-8082-80ee73419af3">
+ <topic>rubygem-json -- Unsafe Objection Creation Vulnerability in JSON (Additional fix)</topic>
+ <affects>
+ <package>
+ <name>rubygem-json</name>
+ <range><le>2.3.0</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <blockquote cite="https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/">
+ <p>When parsing certain JSON documents, the json gem (including the
+ one bundled with Ruby) can be coerced into creating arbitrary objects
+ in the target system.</p>
+ <p>This is the same issue as CVE-2013-0269. The previous fix was incomplete,
+ which addressed JSON.parse(user_input), but didn’t address some other
+ styles of JSON parsing including JSON(user_input) and
+ JSON.parse(user_input, nil).</p>
+ <p>See CVE-2013-0269 in detail. Note that the issue was exploitable to
+ cause a Denial of Service by creating many garbage-uncollectable
+ Symbol objects, but this kind of attack is no longer valid because
+ Symbol objects are now garbage-collectable. However, creating arbitrary
+ bjects may cause severe security consequences depending upon the
+ application code.</p>
+ <p>Please update the json gem to version 2.3.0 or later. You can use
+ gem update json to update it. If you are using bundler, please add
+ gem "json", ">= 2.3.0" to your Gemfile.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/</url>
+ <cvename>CVE-2020-10663</cvename>
+ </references>
+ <dates>
+ <discovery>2020-03-19</discovery>
+ <entry>2020-03-26</entry>
+ </dates>
+ </vuln>
+
<vuln vid="5bf6ed6d-9002-4f43-ad63-458f59e45384">
<topic>jenkins -- multiple vulnerabilities</topic>
<affects>
More information about the svn-ports-all
mailing list