githuesch
commented
8 years ago Handling CVE-2015-7551 completely is a lot more work than changing this one file. In fact, changing only this file will only lead to errors. The version number is used to construct the URL for a Ruby asset that sits in S3. We build those assets. The assets for Ruby 2.2.4 are built and uploaded, but the corresponding cookbook change hasn't been rolled out yet; we're working on it. The primary purpose of having these cookbooks in a public repository is giving our customer an idea which version of the cookbooks they will find on running AWS OpsWorks instances, so as long as we haven't rolled that change out, accepting this pull request would be misleading. Once the change is rolled out, though, we will push to GitHub so everyone can see what changed.
steveh
https://www.ruby-lang.org/en/news/2015/12/16/ruby-2-2-4-released/
"There is an unsafe tainted string vulnerability in Fiddle and DL."