ruby-ffi version 1.9.23 and earlier has a DLL loading issue which can be
hijacked on Windows OS, when a Symbol is used as DLL name instead of a String
This vulnerability appears to have been fixed in v1.9.24 and later.
🚨 We recommend to merge and deploy this update as soon as possible! 🚨
We've updated a dependency and here is what you need to know:
name
version specification
old version
new version
ffi
indirect dependency
1.9.18
1.9.25
You should probably take a good look at the info here and the test results before merging this pull request, of course.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
🚨 Your version of ffi has known security vulnerabilities 🚨
Advisory: CVE-2018-1000201 Disclosed: June 22, 2018 URL: https://github.com/ffi/ffi/releases/tag/1.9.24
ruby-ffi DDL loading issue on Windows OS
🚨 We recommend to merge and deploy this update as soon as possible! 🚨
We've updated a dependency and here is what you need to know:
You should probably take a good look at the info here and the test results before merging this pull request, of course.
What changed?
↗️ ffi (indirect, 1.9.18 → 1.9.25) · Repo
Commits
See the full diff on Github. The new version differs by 53 commits:
Prepare for release 1.9.25Revert "README: Remove now unnecessary PaX workaround [ci skip]"Revert "Do closures via libffi"Run rspec with dots output onlyFix integer parameter range specsFix several specs where raise_error was called without classSpecify error class for several raise_error callsFix missing C declarations causing compiler warningsReplace symlinks for mips r6 with plain filesUpdate CHANGELOGMerge branch 'master' of github.com:ffi/ffiAdd a CHANGELOG fileBump VERSION to 1.9.24Update libffi to latest changes on masterDon't search in hardcoded paths on WindowsDon't treat Symbol args different to Strings in ffi_libMake sure size_t is defined in Thread.cMerge pull request #601 from wzssyqa/masterBump VERSION to 1.9.23Bump VERSION to 1.9.23.pre1README: Remove now unnecessary PaX workaround [ci skip]Fix wrong path to search for configureUpdate libffi to latest masterFix repeated generation of autoconf filesBump VERSION to 1.9.22Fix failures on MacOS (#617)Merge pull request #540 from forgottenswitch/paxMerge pull request #615 from takkanm/suppress-unused-variable-warningAdd Appveyor badge iconsuppress unused variable warningVarious fixes and more deterinistic gem packaging (#612)Grr.Bump version again while I figure out how to build this thing.Bump version to 1.9.19.Bump rake-compiler-dock dependency to add ruby-2.5 support (#599)update travis for latest ruby versions.Add mips64(eb) support, and mips r6 supportUse kramdown for markdown processing.Upgrade to yard ~> 0.9 to silence Github dependency vulnerability warning.add missing win64 typesoptimise read_string for case if len is nilread_string should not throw an error on length 0Fix typo of mprotect (#586)Do not assume a path to the sh and env binaries (#528)Do closures via libffiUse Ruby implementation for `which` (#315)Added support for Bitmask. (#573)Fix compatibility with PPC64LE platform (#577)Normalize sparc64 to sparcv9. (#575)Add support for MSYS2 (#572)Add support for Sparc64 Linux. (#574)Drop Ruby 1.8.7 support (#480)Use PRIsVALUE shim when not available for Ruby < 2.0 compatibility. (#548)Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.