Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Teach Hash#slice to only include keys that exist in original #289

Merged

Conversation

lmarlow
Copy link
Contributor

@lmarlow lmarlow commented Sep 26, 2014

Previously this would blow up if you asked for a key that wasn't in the
original hash. This is consistent with Rails' version of Hash#slice.

Previously this would blow up if you asked for a key that wasn't in the
original hash. This is consistent with Rails' version of Hash#slice.
carlosantoniodasilva added a commit that referenced this pull request Jan 10, 2015
Teach Hash#slice to only include keys that exist in original
@carlosantoniodasilva carlosantoniodasilva merged commit 9c8b240 into ruby-i18n:master Jan 10, 2015
@carlosantoniodasilva
Copy link
Member

Thanks.

@reedloden
Copy link

Is a new version of the gem going to be released with this fix?

@VanessaHenderson
Copy link

@carlosantoniodasilva When will this fix be pushed to RubyGems?

@BookOfGreg
Copy link

@svenfuchs rubysec/ruby-advisory-db#182
rubysec/ruby-advisory-db is alerting this gem on this PR.
Has this been deployed already?

@BookOfGreg
Copy link

BookOfGreg commented Nov 6, 2018

Also summoning @radar as the last person to release.
Edit:
Sorry for the unneccessary summons, looks like a fix inbound rubysec/ruby-advisory-db@25eb466

cchawn added a commit to wealthsimple/middleman that referenced this pull request Nov 6, 2018
### Why
The previous version of i18n has a critical vulnerability that has been addressed in a subsequent release.

```
Name: i18n
Version: 0.7.0
Advisory: CVE-2014-10077
Criticality: Unknown
URL: ruby-i18n/i18n#289
Title: i18n Gem for Ruby lib/i18n/core_ext/hash.rb Hash#slice() Function Hash Handling DoS
Solution: upgrade to >= 0.8.0
```

### What
This PR updates i18n to 0.8.0 to address this security vulnerability.
@carnil
Copy link

carnil commented Nov 6, 2018

CVE-2014-10077 was assigned for this issue.

@radar
Copy link
Collaborator

radar commented Nov 6, 2018

Looks to be all fixed! Wonderful :)

@ghiculescu
Copy link
Contributor

Not sure where to report this, but bumping to 0.8 means that Rails 4 users won't be able to get this update, because activesupport is pinned to 0.7: https://github.com/rails/rails/blob/v4.2.10/activesupport/activesupport.gemspec#L23

@MrBerg
Copy link

MrBerg commented Nov 7, 2018

@ghiculescu, ...no? i18n ~> 0.7 is the same as i18n >= 0.7, < 1 (unless .gemspec files use ~> differently from Gemfiles) so 0.8 totally works for Rails 4.

@ghiculescu
Copy link
Contributor

yeah wow i am totally wrong, sorry, ignore me.

EduardoGHdez added a commit to EduardoGHdez/faker that referenced this pull request Aug 9, 2019
i18n Gem for Ruby lib/i18n/core_ext/hash.rb Hash#slice() Function Hash
Handling DoS

This address CVE-2014-10077

For more information:
  * ruby-i18n/i18n#289
vbrazo pushed a commit to faker-ruby/faker that referenced this pull request Aug 10, 2019
* Upgrade i18n

i18n Gem for Ruby lib/i18n/core_ext/hash.rb Hash#slice() Function Hash
Handling DoS

This address CVE-2014-10077

For more information:
  * ruby-i18n/i18n#289

* Update faker.gemspec
michebble pushed a commit to michebble/faker that referenced this pull request Feb 16, 2020
* Upgrade i18n

i18n Gem for Ruby lib/i18n/core_ext/hash.rb Hash#slice() Function Hash
Handling DoS

This address CVE-2014-10077

For more information:
  * ruby-i18n/i18n#289

* Update faker.gemspec
davidmorton0 pushed a commit to davidmorton0/faker that referenced this pull request Jul 12, 2021
* Upgrade i18n

i18n Gem for Ruby lib/i18n/core_ext/hash.rb Hash#slice() Function Hash
Handling DoS

This address CVE-2014-10077

For more information:
  * ruby-i18n/i18n#289

* Update faker.gemspec
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants