This repository has been archived by the owner on Jan 15, 2025. It is now read-only.

(PA-6282) RDoc vulnerability in Puppet7/Ruby 2.7.8 (CVE-2024-27281) #907

Merged

joshcooper merged 1 commit into puppetlabs-toy-chest:master from imaqsood:PA-6282

Aug 31, 2024

Contributor

imaqsood commented Aug 30, 2024

References

Ruby disclosed on HackerOne: RCE by parsing .rdoc_options in RDoc Specifically:

0001-Filter-marshaled-objects-ruby30.patch (F3085308)

0001-Use-safe_load-and-safe_load_file-for-rdoc_options.patch (F3085309)

https://git.launchpad.net/ubuntu/+source/ruby2.7/commit/?id=7584287c1cf59926252197badedde2cbc08e084c

Testing Done

Agent Runtime 7.x build
vanagon-generic-builder (generic) Generic Builder Step 03 -- Vanagon Project Packaging #3209 Console [Jenkins]
Agent Runtime Artifacts
Index of /puppet-runtime/99588328fc2eaf6c3ac5390a3c7214ac66159675/artifacts/
Puppet Agent 7.x Build
vanagon-generic-builder (generic) Generic Builder Step 03 -- Vanagon Project Packaging #3210 [Jenkins]
Puppet Agent 7.x Artifacts
Index of /puppet-agent/b3da7d646f28a489e6e04ce291214655d0adb78a/artifacts/deb/bionic/puppet7/

Index of /puppet-agent/b3da7d646f28a489e6e04ce291214655d0adb78a/artifacts/el/7/puppet7/x86_64/


          (PA-6282) RDoc vulnerability in Puppet7/Ruby 2.7.8 (CVE-2024-27281)

8954d1b

imaqsood requested review from a team as code owners

August 30, 2024 07:17

joshcooper approved these changes

View reviewed changes

joshcooper merged commit 086f9aa into puppetlabs-toy-chest:master

3 checks passed

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet