ruby-ffi version 1.9.23 and earlier has a DLL loading issue which can be
hijacked on Windows OS, when a Symbol is used as DLL name instead of a String
This vulnerability appears to have been fixed in v1.9.24 and later.
🚨 We recommend to merge and deploy this update as soon as possible! 🚨
We've updated a dependency and here is what you need to know:
name
version specification
old version
new version
ffi
indirect dependency
1.9.18
1.9.25
You should probably take a good look at the info here and the test results before merging this pull request, of course.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
🚨 Your version of ffi has known security vulnerabilities 🚨
Advisory: CVE-2018-1000201 Disclosed: June 22, 2018 URL: https://github.com/ffi/ffi/releases/tag/1.9.24
ruby-ffi DDL loading issue on Windows OS
🚨 We recommend to merge and deploy this update as soon as possible! 🚨
We've updated a dependency and here is what you need to know:
You should probably take a good look at the info here and the test results before merging this pull request, of course.
What changed?
↗️ ffi (indirect, 1.9.18 → 1.9.25) · Repo
Commits
See the full diff on Github. The new version differs by 53 commits:
Prepare for release 1.9.25
Revert "README: Remove now unnecessary PaX workaround [ci skip]"
Revert "Do closures via libffi"
Run rspec with dots output only
Fix integer parameter range specs
Fix several specs where raise_error was called without class
Specify error class for several raise_error calls
Fix missing C declarations causing compiler warnings
Replace symlinks for mips r6 with plain files
Update CHANGELOG
Merge branch 'master' of github.com:ffi/ffi
Add a CHANGELOG file
Bump VERSION to 1.9.24
Update libffi to latest changes on master
Don't search in hardcoded paths on Windows
Don't treat Symbol args different to Strings in ffi_lib
Make sure size_t is defined in Thread.c
Merge pull request #601 from wzssyqa/master
Bump VERSION to 1.9.23
Bump VERSION to 1.9.23.pre1
README: Remove now unnecessary PaX workaround [ci skip]
Fix wrong path to search for configure
Update libffi to latest master
Fix repeated generation of autoconf files
Bump VERSION to 1.9.22
Fix failures on MacOS (#617)
Merge pull request #540 from forgottenswitch/pax
Merge pull request #615 from takkanm/suppress-unused-variable-warning
Add Appveyor badge icon
suppress unused variable warning
Various fixes and more deterinistic gem packaging (#612)
Grr.
Bump version again while I figure out how to build this thing.
Bump version to 1.9.19.
Bump rake-compiler-dock dependency to add ruby-2.5 support (#599)
update travis for latest ruby versions.
Add mips64(eb) support, and mips r6 support
Use kramdown for markdown processing.
Upgrade to yard ~> 0.9 to silence Github dependency vulnerability warning.
add missing win64 types
optimise read_string for case if len is nil
read_string should not throw an error on length 0
Fix typo of mprotect (#586)
Do not assume a path to the sh and env binaries (#528)
Do closures via libffi
Use Ruby implementation for `which` (#315)
Added support for Bitmask. (#573)
Fix compatibility with PPC64LE platform (#577)
Normalize sparc64 to sparcv9. (#575)
Add support for MSYS2 (#572)
Add support for Sparc64 Linux. (#574)
Drop Ruby 1.8.7 support (#480)
Use PRIsVALUE shim when not available for Ruby < 2.0 compatibility. (#548)
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase
.