CVE-2016-7954: Bundler 1.x might allow remote attackers to inject arbitrary Ruby code into an application by leveraging a gem name collision on a secondary source. NOTE: this might overlap CVE-2013-0334.
CVE-2016-7954: Bundler 1.x might allow remote attackers to inject arbitrary Ruby code into an application by leveraging a gem name collision on a secondary source. NOTE: this might overlap CVE-2013-0334.
Please fix it.
Standards version of the package is outdated.
high
The package is severely out of date with respect to the Debian Policy.The package should be updated to follow the last version of Debian Policy
(Standards-Version 4.0.0 instead of
3.9.8).
CVE-2016-7954: Bundler 1.x might allow remote attackers to inject arbitrary Ruby code into an application by leveraging a gem name collision on a secondary source. NOTE: this might overlap CVE-2013-0334.
CVE-2013-0334: Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.
CVE-2016-7954: Bundler 1.x might allow remote attackers to inject arbitrary Ruby code into an application by leveraging a gem name collision on a secondary source. NOTE: this might overlap CVE-2013-0334.
CVE-2016-7954: Bundler 1.x might allow remote attackers to inject arbitrary Ruby code into an application by leveraging a gem name collision on a secondary source. NOTE: this might overlap CVE-2013-0334.
![[bug history graph]](https://qa.debian.org/data/bts/graphs/b/bundler.png){kind=link}