Описание
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| ruby2.3 | fixed | 2.3.5-1 | package | |
| ruby2.1 | removed | package | ||
| ruby1.9.1 | removed | package | ||
| ruby1.9.1 | not-affected | wheezy | package | |
| rubygems | fixed | 3.2.0~rc.1-1 | package | |
| rubygems | not-affected | wheezy | package |
Примечания
https://www.openwall.com/lists/oss-security/2017/10/10/2
https://justi.cz/security/2017/10/07/rubygems-org-rce.html
Fixed by: https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49
Связанные уязвимости
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.
RubyGems vulnerable to Deserialization of Untrusted Data
