Описание
ELSA-2018-0378: ruby security update (IMPORTANT)
[2.0.0.648-33]
- Fix always passing WEBrick test.
[2.0.0.648-32]
- Add Psych.safe_load
- ruby-2.1.0-there-should-be-only-one-exception.patch
- ruby-2.1.0-Adding-Psych.safe_load.patch Related: CVE-2017-0903
- Disable Tokyo TZ tests broken by recen tzdata update.
- ruby-2.5.0-Disable-Tokyo-TZ-tests.patch Related: CVE-2017-0903
[2.0.0.648-31]
- Fix unsafe object deserialization in RubyGems (CVE-2017-0903).
- ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization -vulnerability.patch Resolves: CVE-2017-0903
- Fix an ANSI escape sequence vulnerability (CVE-2017-0899). Resolves: CVE-2017-0899
- Fix a DOS vulernerability in the query command (CVE-2017-0900). Resolves: CVE-2017-0900
- Fix a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files (CVE-2017-0901). Resolves: CVE-2017-0901
- Fix a DNS request hijacking vulnerability (CVE-2017-0902).
- ruby-2.2.8-lib-rubygems-fix-several-vulnerabilities-in-RubyGems.patch Resolves: CVE-2017-0902
- Fix buffer underrun vulnerability in Kernel.sprintf (CVE-2017-0898).
- ruby-2.2.8-Buffer-underrun-vulnerability-in-Kernel.sprintf.patch Resolves: CVE-2017-0898
- Escape sequence injection vulnerability in the Basic
authentication of WEBrick (CVE-2017-10784).
- ruby-2.2.8-sanitize-any-type-of-logs.patch Resolves: CVE-2017-10784
- Arbitrary heap exposure during a JSON.generate call (CVE-2017-14064).
- ruby-2.2.8-Fix-arbitrary-heap-exposure-during-a-JSON.generate-call.patch Resolves: CVE-2017-14064
- Command injection vulnerability in Net::FTP (CVE-2017-17405).
- ruby-2.2.9-Fix-a-command-injection-vulnerability-in-Net-FTP.patch Resolves: CVE-2017-17405
- Buffer underrun in OpenSSL ASN1 decode (CVE-2017-14033).
- ruby-2.2.8-asn1-fix-out-of-bounds-read-in-decoding-constructed-objects.patch Resolves: CVE-2017-14033
- Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code
execution(CVE-2017-17790).
- ruby-2.5.0-Fixed-command-Injection.patch Resolves: CVE-2017-17790
Обновленные пакеты
Oracle Linux 7
Oracle Linux aarch64
ruby
2.0.0.648-33.el7_4
ruby-devel
2.0.0.648-33.el7_4
ruby-doc
2.0.0.648-33.el7_4
ruby-irb
2.0.0.648-33.el7_4
ruby-libs
2.0.0.648-33.el7_4
ruby-tcltk
2.0.0.648-33.el7_4
rubygem-bigdecimal
1.2.0-33.el7_4
rubygem-io-console
0.4.2-33.el7_4
rubygem-json
1.7.7-33.el7_4
rubygem-minitest
4.3.2-33.el7_4
rubygem-psych
2.0.0-33.el7_4
rubygem-rake
0.9.6-33.el7_4
rubygem-rdoc
4.0.0-33.el7_4
rubygems
2.0.14.1-33.el7_4
rubygems-devel
2.0.14.1-33.el7_4
Oracle Linux x86_64
ruby
2.0.0.648-33.el7_4
ruby-devel
2.0.0.648-33.el7_4
ruby-doc
2.0.0.648-33.el7_4
ruby-irb
2.0.0.648-33.el7_4
ruby-libs
2.0.0.648-33.el7_4
ruby-tcltk
2.0.0.648-33.el7_4
rubygem-bigdecimal
1.2.0-33.el7_4
rubygem-io-console
0.4.2-33.el7_4
rubygem-json
1.7.7-33.el7_4
rubygem-minitest
4.3.2-33.el7_4
rubygem-psych
2.0.0-33.el7_4
rubygem-rake
0.9.6-33.el7_4
rubygem-rdoc
4.0.0-33.el7_4
rubygems
2.0.14.1-33.el7_4
rubygems-devel
2.0.14.1-33.el7_4
Ссылки на источники
Связанные уязвимости
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possibl ...