[GLSA-201609-02] Bundler: Insecure installation
Severity
Normal
Affected Packages
1
Unaffected Packages
1
CVEs
1
A vulnerability has been found in Bundler, allowing injection of arbitrary code via the gem installation process.
Background
Bundler provides a consistent environment for Ruby projects by tracking
and installing the exact gems and versions that are needed.
Description
Bundler, allows the installation of gems from different sources with the
same names, when multiple top-level gem sources are used.
Impact
Remote attackers could inject arbitrary code via the gem install
process.
Workaround
There is no known workaround at this time.
Resolution
All Bundler users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-ruby/bundler-1.7.3"
| Package | Affected Version |
|---|---|
 pkg:ebuild/dev-ruby/bundler?distro=gentoo
|
< 1.7.3 |
| Package | Unaffected Version |
|---|---|
|
pkg:ebuild/dev-ruby/bundler?distro=gentoo
|
>= 1.7.3 |
- ID
- GLSA-201609-02
- Severity
- normal
- URL
- https://security.gentoo.org/glsa/201609-02
- Published
-
2016-09-26T00:00:00
(8 years ago) - Modified
-
2016-09-26T00:00:00
(8 years ago) - Rights
- Gentoo Foundation, Inc.
- Other Advisories
ELSA-2015-2180
FEDORA-2014-11630
RHSA-2015:2180
RUBYSEC:BUNDLER-2013-0334
SUSE-SU-2015:0795-1| Source | # ID | Name | URL |
|---|---|---|---|
| CVE | CVE-2013-0334 | CVE-2013-0334 |
|
| Bugzilla | 523798 | Bugzilla #523798 |
|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |