FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-12-31 16:42:47 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
40194e1c-6d89-11ea-8082-80ee73419af3	rubygem-json -- Unsafe Objection Creation Vulnerability in JSON (Additional fix) When parsing certain JSON documents, the json gem (including the one bundled with Ruby) can be coerced into creating arbitrary objects in the target system. This is the same issue as CVE-2013-0269. The previous fix was incomplete, which addressed JSON.parse(user_input), but didnât address some other styles of JSON parsing including JSON(user_input) and JSON.parse(user_input, nil). See CVE-2013-0269 in detail. Note that the issue was exploitable to cause a Denial of Service by creating many garbage-uncollectable Symbol objects, but this kind of attack is no longer valid because Symbol objects are now garbage-collectable. However, creating arbitrary bjects may cause severe security consequences depending upon the application code. Please update the json gem to version 2.3.0 or later. You can use gem update json to update it. If you are using bundler, please add gem "json", ">= 2.3.0" to your Gemfile. Discovery 2020-03-19 Entry 2020-03-26 Modified 2020-04-02 rubygem-json < 2.3.0 https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/ CVE-2020-10663

VuXML ID

Description

40194e1c-6d89-11ea-8082-80ee73419af3

rubygem-json -- Unsafe Objection Creation Vulnerability in JSON (Additional fix)

When parsing certain JSON documents, the json gem (including the one bundled with Ruby) can be coerced into creating arbitrary objects in the target system.

This is the same issue as CVE-2013-0269. The previous fix was incomplete, which addressed JSON.parse(user_input), but didnât address some other styles of JSON parsing including JSON(user_input) and JSON.parse(user_input, nil).

See CVE-2013-0269 in detail. Note that the issue was exploitable to cause a Denial of Service by creating many garbage-uncollectable Symbol objects, but this kind of attack is no longer valid because Symbol objects are now garbage-collectable. However, creating arbitrary bjects may cause severe security consequences depending upon the application code.

Please update the json gem to version 2.3.0 or later. You can use gem update json to update it. If you are using bundler, please add gem "json", ">= 2.3.0" to your Gemfile.

Discovery 2020-03-19
Entry 2020-03-26
Modified 2020-04-02
rubygem-json

< 2.3.0

https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
CVE-2020-10663