[RHSA-2015:2180] rubygem-bundler and rubygem-thor security, bug fix, and enhancement update
Bundler manages an application's dependencies through its entire life,
across many machines, systematically and repeatably. Thor is a toolkit for
building powerful command-line interfaces.
A flaw was found in the way Bundler handled gems available from multiple
sources. An attacker with access to one of the sources could create a
malicious gem with the same name, which they could then use to trick a user
into installing, potentially resulting in execution of code from the
attacker-supplied malicious gem. (CVE-2013-0334)
Bundler has been upgraded to upstream version 1.7.8 and Thor has been
upgraded to upstream version 1.19.1, both of which provide a number of bug
fixes and enhancements over the previous versions. (BZ#1194243, BZ#1209921)
All rubygem-bundler and rubygem-thor users are advised to upgrade to these
updated packages, which correct these issues and add these enhancements.
| Package | Affected Version |
|---|---|
 pkg:rpm/redhat/rubygem-thor?distro=redhat-7
|
< 0.19.1-1.el7 |
|
pkg:rpm/redhat/rubygem-thor-doc?distro=redhat-7
|
< 0.19.1-1.el7 |
|
pkg:rpm/redhat/rubygem-bundler?distro=redhat-7
|
< 1.7.8-3.el7 |
|
pkg:rpm/redhat/rubygem-bundler-doc?distro=redhat-7
|
< 1.7.8-3.el7 |
- ID
- RHSA-2015:2180
- Severity
- moderate
- URL
- https://access.redhat.com/errata/RHSA-2015:2180
- Published
-
2015-11-19T00:00:00
(8 years ago) - Modified
-
2015-11-19T00:00:00
(8 years ago) - Rights
- Copyright 2015 Red Hat, Inc.
- Other Advisories
ELSA-2015-2180
FEDORA-2014-11630
GLSA-201609-02
RUBYSEC:BUNDLER-2013-0334
SUSE-SU-2015:0795-1| Source | # ID | Name | URL |
|---|---|---|---|
| Bugzilla | 1146335 |
|
|
| RHSA | RHSA-2015:2180 |
|
|
| CVE | CVE-2013-0334 |
|
| Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
|---|---|---|---|---|---|---|---|
| Affected | pkg:rpm/redhat/rubygem-thor?distro=redhat-7 | redhat |
rubygem-thor
|
< 0.19.1-1.el7 | redhat-7 | ||
| Affected | pkg:rpm/redhat/rubygem-thor-doc?distro=redhat-7 | redhat |
rubygem-thor-doc
|
< 0.19.1-1.el7 | redhat-7 | ||
| Affected | pkg:rpm/redhat/rubygem-bundler?distro=redhat-7 | redhat |
rubygem-bundler
|
< 1.7.8-3.el7 | redhat-7 | ||
| Affected | pkg:rpm/redhat/rubygem-bundler-doc?distro=redhat-7 | redhat |
rubygem-bundler-doc
|
< 1.7.8-3.el7 | redhat-7 |
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |