[ruby-core:123675] [Ruby Bug#21667] CVE-2024-12224
Issue #21667 has been reported by mcandre (Andrew Pennebaker). ---------------------------------------- Bug #21667: CVE-2024-12224 https://bugs.ruby-lang.org/issues/21667 * Author: mcandre (Andrew Pennebaker) * Status: Open * Backport: 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN ---------------------------------------- ruby-build triggers Wiz finding CVE-2024-12224 for the leftover build files, when compiling Ruby from source. -- https://bugs.ruby-lang.org/
Issue #21667 has been updated by alanwu (Alan Wu). Status changed from Open to Feedback What version of ruby were you building? Does Wiz point to some file that this is about? ---------------------------------------- Bug #21667: CVE-2024-12224 https://bugs.ruby-lang.org/issues/21667#change-115082 * Author: mcandre (Andrew Pennebaker) * Status: Feedback * Backport: 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN ---------------------------------------- ruby-build triggers Wiz finding CVE-2024-12224 for the leftover build files, when compiling Ruby from source. -- https://bugs.ruby-lang.org/
Issue #21667 has been updated by mcandre (Andrew Pennebaker). Wiz reports a servo/rust-url package. Curious if Ruby is using this package strictly at the point in time when the Ruby language is being compiled, possibly even an integration test suite. Or perhaps servo ends up as a portion of the Ruby standard library. ---------------------------------------- Bug #21667: CVE-2024-12224 https://bugs.ruby-lang.org/issues/21667#change-115091 * Author: mcandre (Andrew Pennebaker) * Status: Feedback * Backport: 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN ---------------------------------------- ruby-build triggers Wiz finding CVE-2024-12224 for the leftover build files, when compiling Ruby from source. -- https://bugs.ruby-lang.org/
Issue #21667 has been updated by alanwu (Alan Wu). Status changed from Feedback to Closed https://rustsec.org/advisories/RUSTSEC-2024-0421.html This seems to be from MMTk depending on the `idna` crate. MMTk is experimental and requires a separate build step, so ruby-build probably doesn't even build it. In any case, we have already upgraded past the vulnerable version in commit:d8774ec98fb. ---------------------------------------- Bug #21667: CVE-2024-12224 https://bugs.ruby-lang.org/issues/21667#change-115097 * Author: mcandre (Andrew Pennebaker) * Status: Closed * Backport: 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN ---------------------------------------- ruby-build triggers Wiz finding CVE-2024-12224 for the leftover build files, when compiling Ruby from source. -- https://bugs.ruby-lang.org/
Issue #21667 has been updated by mcandre (Andrew Pennebaker). Excellent news, glad to see the patch progressing. How quickly can we release new versions of Ruby to include this patch? ---------------------------------------- Bug #21667: CVE-2024-12224 https://bugs.ruby-lang.org/issues/21667#change-115099 * Author: mcandre (Andrew Pennebaker) * Status: Closed * Backport: 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN ---------------------------------------- ruby-build triggers Wiz finding CVE-2024-12224 for the leftover build files, when compiling Ruby from source. -- https://bugs.ruby-lang.org/
participants (2)
-
alanwu (Alan Wu) -
mcandre (Andrew Pennebaker)