Description of problem: ref: bug 1456725 ruby bundles onigumo, which is modified origuruma of 6.1.2. Recently, multiple security issues are found on oniguruma through 6.2.0. Recently multiple security issues were found on oniguruma: CVE-2017-9226 https://github.com/kkos/oniguruma/issues/55 CVE-2017-9225 https://github.com/kkos/oniguruma/issues/56 CVE-2017-9224 https://github.com/kkos/oniguruma/issues/57 CVE-2017-9227 https://github.com/kkos/oniguruma/issues/58 CVE-2017-9229 https://github.com/kkos/oniguruma/issues/59 CVE-2017-9228 https://github.com/kkos/oniguruma/issues/60 , all of them are fixed in 6.3.0: https://github.com/kkos/oniguruma/releases Looks like ruby (onigumo bundled in ruby) is affected by all of these except for CVE-2017-9225. Version-Release number of selected component (if applicable): ruby-2.4.1-79.fc27
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'.
Ruby 2.4.2 still bundles Onigmo 6.1.1. https://github.com/ruby/ruby/blob/v2_4_2/include/ruby/onigmo.h
This is basically duplicate of bug 1466749 created by security folks. Just FTR, Ruby should not be vulnerable according to upstream. Thanks for reporting. *** This bug has been marked as a duplicate of bug 1466749 ***