Red Hat Bugzilla – Bug 1547421
CVE-2018-1000076 rubygems: Improper verification of signatures in tarball allows to install mis-signed gem
Last modified: 2018-06-29 18:33:16 EDT
Improper verification of signatures in tarball allows to install mis-signed gem when tarball contain multiple gem signatures. Upstream fix: https://github.com/rubygems/rubygems/commit/f5042b879259b1f1ce95a0c5082622c646376693 External References: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/
Created rubygems tracking bugs for this issue: Affects: fedora-all [bug 1547431]
Statement: This issue affects the versions of rubygems as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. This issue affects the versions of rubygems as shipped with Red Hat Satellite version 6 on Red Hat Enterprise Linux version 5. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.