Project

General

Profile

Actions

Bug #16698

closed

Backport security fix for CVE-2020-10663

Added by jeremyevans0 (Jeremy Evans) about 4 years ago. Updated almost 4 years ago.

Status:
Closed
Assignee:
-
Target version:
-
[ruby-core:97556]

Description

As announced at https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/, you can upgrade the JSON gem to 2.3.0 to work around the security issue. However, that brings in new features and not just the security fix. The security issue itself is easy to fix in older ruby versions, and I think the next releases of Ruby 2.4, 2.5, and 2.6 should contain just this security fix without a JSON version upgrade. I'm not sure if we plan a security release of Ruby 2.4 before it goes fully out of support, but I think we should have one.

Attached is a patch for ruby 2.6. It applies cleanly to ruby 2.4 and 2.5 (with some offsets).


Files

ruby-2-6-json-cve-2020-10663.patch (1.05 KB) ruby-2-6-json-cve-2020-10663.patch jeremyevans0 (Jeremy Evans), 03/19/2020 05:35 PM

Updated by nagachika (Tomoyuki Chikanaga) about 4 years ago

  • Backport changed from 2.4: REQUIRED, 2.5: REQUIRED, 2.6: REQUIRED, 2.7: DONTNEED to 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE, 2.7: DONTNEED

Backported into ruby_2_6 at r67856.
Thank you for providing a clean patch.

Updated by usa (Usaku NAKAMURA) almost 4 years ago

  • Backport changed from 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE, 2.7: DONTNEED to 2.4: REQUIRED, 2.5: DONE, 2.6: DONE, 2.7: DONTNEED

ruby_2_5 r67869 merged revision(s) 36e9ed7fef6eb2d14becf6c52452e4ab16e4bf01.

Updated by usa (Usaku NAKAMURA) almost 4 years ago

  • Backport changed from 2.4: REQUIRED, 2.5: DONE, 2.6: DONE, 2.7: DONTNEED to 2.4: DONE, 2.5: DONE, 2.6: DONE, 2.7: DONTNEED

ruby_2_4 r67873 merged revision(s) 36e9ed7fef6eb2d14becf6c52452e4ab16e4bf01.

Actions

Also available in: Atom PDF

Like0
Like0Like0Like0