Описание
Security update for ruby
This update for ruby fixes the following issues:
Secuirty issues fixed:
- CVE-2015-1855: Ruby OpenSSL Hostname Verification (bsc#926974)
- CVE-2015-7551: Unsafe tainted string usage in Fiddle and DL (bsc#959495)
Bugfixes:
- fix small mistake in the backport for (bsc#986630)
Список пакетов
SUSE Lifecycle Management Server 1.3
SUSE Linux Enterprise Server 11 SP4
SUSE Linux Enterprise Server for SAP Applications 11 SP4
SUSE Linux Enterprise Software Development Kit 11 SP4
SUSE Studio Onsite 1.3
SUSE WebYast 1.3
Ссылки
- Link for SUSE-SU-2017:0948-1
- E-Mail link for SUSE-SU-2017:0948-1
- SUSE Security Ratings
- SUSE Bug 926974
- SUSE Bug 959495
- SUSE Bug 986630
- SUSE CVE CVE-2015-1855 page
- SUSE CVE CVE-2015-7551 page
Описание
verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.
Затронутые продукты
Ссылки
- CVE-2015-1855
- SUSE Bug 926974
Описание
The Fiddle::Handle implementation in ext/fiddle/handle.c in Ruby before 2.0.0-p648, 2.1 before 2.1.8, and 2.2 before 2.2.4, as distributed in Apple OS X before 10.11.4 and other products, mishandles tainting, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted string, related to the DL module and the libffi library. NOTE: this vulnerability exists because of a CVE-2009-5147 regression.
Затронутые продукты
Ссылки
- CVE-2015-7551
- SUSE Bug 939860
- SUSE Bug 959495