GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Mon Sep 26, 2016 4:26 am Post subject: [ GLSA 201609-02 ] Bundler |
 |
|
Gentoo Linux Security Advisory
Title: Bundler: Insecure installation (GLSA 201609-02)
Severity: normal
Exploitable: remote
Date: September 26, 2016
Bug(s): #523798
ID: 201609-02
Synopsis
A vulnerability has been found in Bundler, allowing injection of
arbitrary code via the gem installation process.
Background
Bundler provides a consistent environment for Ruby projects by tracking
and installing the exact gems and versions that are needed.
Affected Packages
Package: dev-ruby/bundler
Vulnerable: < 1.7.3
Unaffected: >= 1.7.3
Architectures: All supported architectures
Description
Bundler, allows the installation of gems from different sources with the
same names, when multiple top-level gem sources are used.
Impact
Remote attackers could inject arbitrary code via the gem install
process.
Workaround
There is no known workaround at this time.
Resolution
All Bundler users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-ruby/bundler-1.7.3"
|
References
CVE-2013-0334 |
|
News & Announcements
