[Bug 1257609] Re: Sync ruby2.0 2.0.0.353-1 (main) from Debian unstable (main)
Marc Deslauriers
marc.deslauriers at canonical.com
Wed Dec 4 16:18:59 UTC 2013
This bug was fixed in the package ruby2.0 - 2.0.0.353-1
Sponsored for Logan Rosen (logan)
---------------
ruby2.0 (2.0.0.353-1) unstable; urgency=low
* New upstream release
+ Includes fix for Heap Overflow in Floating Point Parsing (CVE-2013-4164)
Closes: #730190
-- Antonio Terceiro <terceiro at debian.org> Mon, 25 Nov 2013 22:34:25
-0300
** Changed in: ruby2.0 (Ubuntu)
Status: New => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-4164
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1257609
Title:
Sync ruby2.0 2.0.0.353-1 (main) from Debian unstable (main)
Status in “ruby2.0” package in Ubuntu:
Fix Released
Bug description:
Please sync ruby2.0 2.0.0.353-1 (main) from Debian unstable (main)
Explanation of the Ubuntu delta and why it can be dropped:
* SECURITY UPDATE: denial of service and possible code execution via
heap overflow in floating point parsing.
- debian/patches/CVE-2013-4164.patch: check lengths in util.c, added
test to test/ruby/test_float.rb.
- CVE-2013-4164
This CVE was fixed in the new upstream release, as noted in Debian's changelog.
Changelog entries since current trusty version 2.0.0.343-1ubuntu1:
ruby2.0 (2.0.0.353-1) unstable; urgency=low
* New upstream release
+ Includes fix for Heap Overflow in Floating Point Parsing (CVE-2013-4164)
Closes: #730190
-- Antonio Terceiro <terceiro at debian.org> Mon, 25 Nov 2013 22:34:25
-0300
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ruby2.0/+bug/1257609/+subscriptions
More information about the Ubuntu-sponsors
mailing list