ruby2.3: CVE-2017-0903: Unsafe object deserialization through YAML formatted gem specifications

Debian Bug report logs - #879231
ruby2.3: CVE-2017-0903: Unsafe object deserialization through YAML formatted gem specifications

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ruby2.3: CVE-2017-0903: Unsafe object deserialization through YAML formatted gem specifications

Date: Fri, 20 Oct 2017 21:32:28 +0200

Source: ruby2.3
Version: 2.3.3-1
Severity: grave
Tags: patch security upstream

Hi,

the following vulnerability was published for ruby2.3.

CVE-2017-0903[0]:
| RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a
| possible remote code execution vulnerability. YAML deserialization of
| gem specifications can bypass class white lists. Specially crafted
| serialized objects can possibly be used to escalate to remote code
| execution.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-0903
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0903
[1] http://www.openwall.com/lists/oss-security/2017/10/10/2
[2] https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49

Regards,
Salvatore

Message #10 received at 879231@bugs.debian.org (full text, mbox, reply):

From: Antonio Terceiro <terceiro@debian.org>

To: team@security.debian.org

Cc: 875928@bugs.debian.org, 875931@bugs.debian.org, 875936@bugs.debian.org, 876377@bugs.debian.org, 879231@bugs.debian.org

Subject: security update: ruby2.3

Date: Mon, 23 Oct 2017 11:49:28 -0200

[Message part 1 (text/plain, inline)]

Hi security team,

I have prepared a security update for ruby2.3.

It includes all the pending recent CVE's, plus a fix for a bug that
causes runaway child processes hogging the CPU, noticed at least in
puppet.

The test suite still passes both during build, and under autopkgtest. I
am running these packages on my workstation since yesterday. The patches
are targeted enough that I don't expect any regressions.

As I explained before, unfortunately the patch management for ruby2.3 is
not optimal, so I attach both the debdiff and the individual patches
that I applied to the git repository. The later will make your review
work easier.

You can also inspect the git repository:
https://anonscm.debian.org/cgit/collab-maint/ruby.git/log/?h=debian/stretch

[ruby2.3.diff (text/x-diff, attachment)]

[0001-asn1-fix-out-of-bounds-read-in-decoding-constructed-.patch (text/x-diff, attachment)]

[0002-lib-webrick-log.rb-sanitize-any-type-of-logs-CVE-201.patch (text/x-diff, attachment)]

[0003-fix-Buffer-underrun-vulnerability-in-Kernel.sprintf-.patch (text/x-diff, attachment)]

[0004-Whitelist-classes-and-symbols-that-are-in-Gem-spec-Y.patch (text/x-diff, attachment)]

[0005-thread_pthread.c-do-not-wakeup-inside-child-processe.patch (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 879231@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Antonio Terceiro <terceiro@debian.org>

Cc: team@security.debian.org, 875928@bugs.debian.org, 875931@bugs.debian.org, 875936@bugs.debian.org, 876377@bugs.debian.org, 879231@bugs.debian.org, adsb@debian.org

Subject: Re: security update: ruby2.3

Date: Sat, 4 Nov 2017 22:08:36 +0100

[Message part 1 (text/plain, inline)]

Hi Antonio

Sorry for the late reply

On Mon, Oct 23, 2017 at 11:49:28AM -0200, Antonio Terceiro wrote:
> Hi security team,
> 
> I have prepared a security update for ruby2.3.
> 
> It includes all the pending recent CVE's, plus a fix for a bug that
> causes runaway child processes hogging the CPU, noticed at least in
> puppet.

For the later one, not directly a security issue, strictly speaking we
would need an ack from the SRM to see they would ack it to a point
release and then we can pick it as well for a security update. The
patch though looks confined enough that I would trust it's okay as
well for SRM to see it included (Cc'ed explicity Adam).

> The test suite still passes both during build, and under autopkgtest. I
> am running these packages on my workstation since yesterday. The patches
> are targeted enough that I don't expect any regressions.
> 
> As I explained before, unfortunately the patch management for ruby2.3 is
> not optimal, so I attach both the debdiff and the individual patches
> that I applied to the git repository. The later will make your review
> work easier.
> 
> You can also inspect the git repository:
> https://anonscm.debian.org/cgit/collab-maint/ruby.git/log/?h=debian/stretch

Yes thank you. Please go ahead with the upload to security-master
(unless you in meanwhile have found any regression caused by the
update on your workstation).

Regards,
Salvatore

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 879231@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: Salvatore Bonaccorso <carnil@debian.org>, Antonio Terceiro <terceiro@debian.org>

Cc: team@security.debian.org, 875928@bugs.debian.org, 875931@bugs.debian.org, 875936@bugs.debian.org, 876377@bugs.debian.org, 879231@bugs.debian.org, adsb@debian.org

Subject: Re: security update: ruby2.3

Date: Sat, 04 Nov 2017 22:45:06 +0000

On Sat, 2017-11-04 at 22:08 +0100, Salvatore Bonaccorso wrote:
> Hi Antonio
> 
> Sorry for the late reply
> 
> On Mon, Oct 23, 2017 at 11:49:28AM -0200, Antonio Terceiro wrote:
> > Hi security team,
> > 
> > I have prepared a security update for ruby2.3.
> > 
> > It includes all the pending recent CVE's, plus a fix for a bug that
> > causes runaway child processes hogging the CPU, noticed at least in
> > puppet.
> 
> For the later one, not directly a security issue, strictly speaking
> we
> would need an ack from the SRM to see they would ack it to a point
> release and then we can pick it as well for a security update. The
> patch though looks confined enough that I would trust it's okay as
> well for SRM to see it included (Cc'ed explicity Adam).

Assuming that's "0005-thread_pthread.c-do-not-wakeup-inside-child-
processe.patch", it looks okay to me.

As I've previously mentioned to Salvatore in another discussion, the
fact that the patch hasn't been applied in unstable, afaict, doesn't
fit our usual requirements for accepting patches in stable. I
understand there are reasons for that, and the upload going via the
security archive does make things slightly easier from that
perspective, but as thinks stand I imagine we'll end up pushing +deb9u2
into unstable during the next point release, as we did with +deb9u1
recently.

Regards,

Adam

Message #25 received at 879231@bugs.debian.org (full text, mbox, reply):

From: Antonio Terceiro <terceiro@debian.org>

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Cc: Salvatore Bonaccorso <carnil@debian.org>, team@security.debian.org, 875928@bugs.debian.org, 875931@bugs.debian.org, 875936@bugs.debian.org, 876377@bugs.debian.org, 879231@bugs.debian.org, adsb@debian.org

Subject: Re: security update: ruby2.3

Date: Tue, 7 Nov 2017 15:03:50 -0200

[Message part 1 (text/plain, inline)]

On Sat, Nov 04, 2017 at 10:45:06PM +0000, Adam D. Barratt wrote:
> On Sat, 2017-11-04 at 22:08 +0100, Salvatore Bonaccorso wrote:
> > Hi Antonio
> > 
> > Sorry for the late reply
> > 
> > On Mon, Oct 23, 2017 at 11:49:28AM -0200, Antonio Terceiro wrote:
> > > Hi security team,
> > > 
> > > I have prepared a security update for ruby2.3.
> > > 
> > > It includes all the pending recent CVE's, plus a fix for a bug that
> > > causes runaway child processes hogging the CPU, noticed at least in
> > > puppet.
> > 
> > For the later one, not directly a security issue, strictly speaking
> > we
> > would need an ack from the SRM to see they would ack it to a point
> > release and then we can pick it as well for a security update. The
> > patch though looks confined enough that I would trust it's okay as
> > well for SRM to see it included (Cc'ed explicity Adam).
> 
> Assuming that's "0005-thread_pthread.c-do-not-wakeup-inside-child-
> processe.patch", it looks okay to me.

Thanks.

> As I've previously mentioned to Salvatore in another discussion, the
> fact that the patch hasn't been applied in unstable, afaict, doesn't
> fit our usual requirements for accepting patches in stable. I
> understand there are reasons for that, and the upload going via the
> security archive does make things slightly easier from that
> perspective, but as thinks stand I imagine we'll end up pushing +deb9u2
> into unstable during the next point release, as we did with +deb9u1
> recently.

If I upload these changes to unstable myself (with a properly adjusted
version number), does that make it easier for you? I have not been doing
that because ruby2.3 won't be shipped in buster anyway, but I would
rather consume my time as maintainer than yours as stable release
manager.

[signature.asc (application/pgp-signature, inline)]

Message #30 received at 879231@bugs.debian.org (full text, mbox, reply):

From: Antonio Terceiro <terceiro@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: team@security.debian.org, 875928@bugs.debian.org, 875931@bugs.debian.org, 875936@bugs.debian.org, 876377@bugs.debian.org, 879231@bugs.debian.org, adsb@debian.org

Subject: Re: security update: ruby2.3

Date: Tue, 7 Nov 2017 15:16:36 -0200

[Message part 1 (text/plain, inline)]

On Sat, Nov 04, 2017 at 10:08:36PM +0100, Salvatore Bonaccorso wrote:
> Hi Antonio
> 
> Sorry for the late reply
> 
> On Mon, Oct 23, 2017 at 11:49:28AM -0200, Antonio Terceiro wrote:
> > Hi security team,
> > 
> > I have prepared a security update for ruby2.3.
> > 
> > It includes all the pending recent CVE's, plus a fix for a bug that
> > causes runaway child processes hogging the CPU, noticed at least in
> > puppet.
> 
> For the later one, not directly a security issue, strictly speaking we
> would need an ack from the SRM to see they would ack it to a point
> release and then we can pick it as well for a security update. The
> patch though looks confined enough that I would trust it's okay as
> well for SRM to see it included (Cc'ed explicity Adam).
> 
> > The test suite still passes both during build, and under autopkgtest. I
> > am running these packages on my workstation since yesterday. The patches
> > are targeted enough that I don't expect any regressions.
> > 
> > As I explained before, unfortunately the patch management for ruby2.3 is
> > not optimal, so I attach both the debdiff and the individual patches
> > that I applied to the git repository. The later will make your review
> > work easier.
> > 
> > You can also inspect the git repository:
> > https://anonscm.debian.org/cgit/collab-maint/ruby.git/log/?h=debian/stretch
> 
> Yes thank you. Please go ahead with the upload to security-master
> (unless you in meanwhile have found any regression caused by the
> update on your workstation).

Uploaded.

[signature.asc (application/pgp-signature, inline)]

Message #35 received at 879231-close@bugs.debian.org (full text, mbox, reply):

From: Antonio Terceiro <terceiro@debian.org>

To: 879231-close@bugs.debian.org

Subject: Bug#879231: fixed in ruby2.3 2.3.3-1+deb9u2

Date: Sun, 12 Nov 2017 15:34:53 +0000

Source: ruby2.3
Source-Version: 2.3.3-1+deb9u2

We believe that the bug you reported is fixed in the latest version of
ruby2.3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 879231@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antonio Terceiro <terceiro@debian.org> (supplier of updated ruby2.3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 22 Oct 2017 12:45:48 -0200
Source: ruby2.3
Binary: ruby2.3 libruby2.3 ruby2.3-dev ruby2.3-doc ruby2.3-tcltk
Architecture: source amd64 all
Version: 2.3.3-1+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Antonio Terceiro <terceiro@debian.org>
Changed-By: Antonio Terceiro <terceiro@debian.org>
Description:
 libruby2.3 - Libraries necessary to run Ruby 2.3
 ruby2.3    - Interpreter of object-oriented scripting language Ruby
 ruby2.3-dev - Header files for compiling extension modules for the Ruby 2.3
 ruby2.3-doc - Documentation for Ruby 2.3
 ruby2.3-tcltk - Ruby/Tk for Ruby 2.3
Closes: 875928 875931 875936 876377 879231
Changes:
 ruby2.3 (2.3.3-1+deb9u2) stretch-security; urgency=high
 .
   * asn1: fix out-of-bounds read in decoding constructed objects
     [CVE-2017-14033] (Closes: #875928)
     Original patch by Kazuki Yamaguchi; backported from the standalone openssl package
   * lib/webrick/log.rb: sanitize any type of logs
     [CVE-2017-10784] (Closes: #875931)
     Original patch by Yusuke Endoh; backported to Ruby 2.3 by Usaku NAKAMURA
   * fix Buffer underrun vulnerability in Kernel.sprintf
     [CVE-2017-0898] (Closes: #875936)
     Backported to Ruby 2.3 by Usaku NAKAMURA
   * Whitelist classes and symbols that are in Gem spec YAML
     [CVE-2017-0903] (Closes: #879231)
     Original patch by Aaron Patterson; backported from the standalone Rubygems
     package
   * thread_pthread.c: do not wakeup inside child processes
     Avoid child Ruby processed being stuck in a busy loop (Closes: #876377)
     Original patch by Eric Wong
Checksums-Sha1:
 fc2239753ec5a97c0033669260c38404b033bc89 2503 ruby2.3_2.3.3-1+deb9u2.dsc
 9392e4fac0a593c277f6b9402b0c951272ccabea 101656 ruby2.3_2.3.3-1+deb9u2.debian.tar.xz
 54e0e758b6cf8fd9d378e3b23fd244d1b2a633ba 4605396 libruby2.3-dbgsym_2.3.3-1+deb9u2_amd64.deb
 9c6b7dcc9a8dd007945e86262f8a94031a7381e8 3107924 libruby2.3_2.3.3-1+deb9u2_amd64.deb
 a1ea5960d3abc6b4d0536d19cb1d566b129ff3f3 5220 ruby2.3-dbgsym_2.3.3-1+deb9u2_amd64.deb
 b597042769944f9badb8c5f3c61630ae466ebe30 1178978 ruby2.3-dev_2.3.3-1+deb9u2_amd64.deb
 6f1ac5dc45a13a762b136273e2bedb925bfa637a 3512074 ruby2.3-doc_2.3.3-1+deb9u2_all.deb
 ad377c0a3d547f94e5aaab6d650a7ff493fe6d3a 193486 ruby2.3-tcltk-dbgsym_2.3.3-1+deb9u2_amd64.deb
 826a6c7e18a9b1d67d810c21b7b2e22ab5b36e75 421734 ruby2.3-tcltk_2.3.3-1+deb9u2_amd64.deb
 752d848843e0f462fe4885c08d94224ad030a4bd 10438 ruby2.3_2.3.3-1+deb9u2_amd64.buildinfo
 0d7262d3f312379a98b0e3a61dab9567f4bbbcf9 187302 ruby2.3_2.3.3-1+deb9u2_amd64.deb
Checksums-Sha256:
 d778479ae0bc2fe196d8ea7737581346311032e56bcac8e5e59d4ce145a1b041 2503 ruby2.3_2.3.3-1+deb9u2.dsc
 1ecfd9d44396afcddaa349f87af1fd82ce2ccfe610f7ff1eb71fca8d69365595 101656 ruby2.3_2.3.3-1+deb9u2.debian.tar.xz
 3284f4a8cfb768da7be774f11046fd137623d5f595e314c1a4f778ba77609e67 4605396 libruby2.3-dbgsym_2.3.3-1+deb9u2_amd64.deb
 96f76e6cc5ebbbe8f641b87225f2ddd3181ed8f911d398869410fd1433f2c3e5 3107924 libruby2.3_2.3.3-1+deb9u2_amd64.deb
 2b6f776129d69acf337c7d36fad5eb0365e38e0860f0a2e52600835927ae2dc1 5220 ruby2.3-dbgsym_2.3.3-1+deb9u2_amd64.deb
 4cf5b34f55080513f2bc6d2b858bb931670c1ca47854ce4bb18cc1efbd1710aa 1178978 ruby2.3-dev_2.3.3-1+deb9u2_amd64.deb
 7250d38b09c3f1b7c503d7fb216c17f0d16ad84ccce3ad92f8879be1bc5ebd2d 3512074 ruby2.3-doc_2.3.3-1+deb9u2_all.deb
 b609eac308ea13b266527f7481400d509de24e31a10b21e0875b8843bf8d388a 193486 ruby2.3-tcltk-dbgsym_2.3.3-1+deb9u2_amd64.deb
 1c835445a1f2a483b7c1c991258c41a8d28ab9d888e7ffa7835c60400bf74fc0 421734 ruby2.3-tcltk_2.3.3-1+deb9u2_amd64.deb
 069ac11dc8330b315ed4d5f2c0c551e77c2816f44fa2ca3d1fea2c4b6becf3ed 10438 ruby2.3_2.3.3-1+deb9u2_amd64.buildinfo
 57c58081129c16005baeb591b23839541cbe3445ff873211b18bff63637993d5 187302 ruby2.3_2.3.3-1+deb9u2_amd64.deb
Files:
 51e216e75018504d050a6b1e7294652d 2503 ruby optional ruby2.3_2.3.3-1+deb9u2.dsc
 36c9812418be88cd206d34031d498cbb 101656 ruby optional ruby2.3_2.3.3-1+deb9u2.debian.tar.xz
 75e8a3a9893bd2f42f0756e19ce02d2a 4605396 debug extra libruby2.3-dbgsym_2.3.3-1+deb9u2_amd64.deb
 423fe6f9c315c34f55e0c8a14479366f 3107924 libs optional libruby2.3_2.3.3-1+deb9u2_amd64.deb
 116c2ffa0f00a2456addf3b6904470d0 5220 debug extra ruby2.3-dbgsym_2.3.3-1+deb9u2_amd64.deb
 2316a3c3bca8e8a41e7fc8d4cf3c5ae7 1178978 ruby optional ruby2.3-dev_2.3.3-1+deb9u2_amd64.deb
 adba35efe792b47ba689959d01bebe99 3512074 doc optional ruby2.3-doc_2.3.3-1+deb9u2_all.deb
 afb7f367e072f990f1323ff249df2c77 193486 debug extra ruby2.3-tcltk-dbgsym_2.3.3-1+deb9u2_amd64.deb
 cf32242176e6171cb33a2177527cc3ec 421734 ruby optional ruby2.3-tcltk_2.3.3-1+deb9u2_amd64.deb
 efffe6b39a0ab676da405989f2d6ea96 10438 ruby optional ruby2.3_2.3.3-1+deb9u2_amd64.buildinfo
 cc5a12044ffd2fe035005c22e312629b 187302 ruby optional ruby2.3_2.3.3-1+deb9u2_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEst7mYDbECCn80PEM/A2xu81GC94FAloB6gQACgkQ/A2xu81G
C94K3BAAtr/wjjKciR9DeendO3iFQRNxhegngn1oIU8HnrchWdDl2IQGPfF8HJLy
KBkI8iPW6I57pxtk0uMOLkYE1vlCqZSFOFZ2yCVDWaHRqOS+r2O5mRxfSCjoWkiH
NPh/B85uy/iNMsg5F9m3RMYh8/m6DHmmxPv5RqTf+1dHu5YXtaziCFSUk37COE1j
tsgLvgnM8GaTM4p2mKdD52hMieeeB6cI6MBCHt98Jm9wSx644/9pO3gPr0bniplz
u4NNkC2Fo2IZGoAaiqeM3qooXQemEkb70eQwwRZVN8IXHgo3mRbNRXoY1SkvylCo
B1ZrMFdRusiBaOXBHJiZNqcgO0dlN0mK/SZ5H8OOhwxN9YySDbLXAp3oSsQDaeZF
p/tYHNNEZW9VvoRm6xPPxTbDNkb5/66nnO+QK+IUru+zdWXoVpbSGhFKiFzJiLm2
v7pUwWUFfhrq7/ZG68QV1PXP4/2zTzZlQJd6jao1jAV/M1Qy3S/lfKbRZ7w890j9
usezaAfZMqVOToDJYRW76Z8/H2GLjgw95crRkxXGovLY8AeX76qjY5YYZim8hxrh
bq4flRhFzkeMbS6y1Yn6p0/V8jE0XtEdgW4Znch8eBblz868View8zjtCo9mO3Wp
MtgQVlBerOAtnijO8iiXfEl1CfiJFbmoqmd0kBXwvHM68/cvNfk=
=rnTR
-----END PGP SIGNATURE-----

Message #40 received at 879231-close@bugs.debian.org (full text, mbox, reply):

From: Antonio Terceiro <terceiro@debian.org>

To: 879231-close@bugs.debian.org

Subject: Bug#879231: fixed in ruby2.3 2.3.5-1

Date: Tue, 14 Nov 2017 13:36:32 +0000

Source: ruby2.3
Source-Version: 2.3.5-1

We believe that the bug you reported is fixed in the latest version of
ruby2.3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 879231@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antonio Terceiro <terceiro@debian.org> (supplier of updated ruby2.3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 14 Nov 2017 11:06:39 -0200
Source: ruby2.3
Binary: ruby2.3 libruby2.3 ruby2.3-dev ruby2.3-doc ruby2.3-tcltk
Architecture: source
Version: 2.3.5-1
Distribution: unstable
Urgency: medium
Maintainer: Antonio Terceiro <terceiro@debian.org>
Changed-By: Antonio Terceiro <terceiro@debian.org>
Description:
 libruby2.3 - Libraries necessary to run Ruby 2.3
 ruby2.3    - Interpreter of object-oriented scripting language Ruby
 ruby2.3-dev - Header files for compiling extension modules for the Ruby 2.3
 ruby2.3-doc - Documentation for Ruby 2.3
 ruby2.3-tcltk - Ruby/Tk for Ruby 2.3
Closes: 842432 853648 864860 873802 873906 875928 875931 875936 879231
Changes:
 ruby2.3 (2.3.5-1) unstable; urgency=medium
 .
   * New upstream release.
     - Includes fix for building with GCC 7 (Closes: #853648)
     - Included security fixes
       - Buffer underrun vulnerability in OpenSSL ASN1 decode
         [CVE-2017-14033] (Closes: #875928)
       - Escape sequence injection vulnerability in the Basic authentication of
         WEBrick
         [CVE-2017-10784] (Closes: #875931)
       - Buffer underrun vulnerability in Kernel.sprintf
         [CVE-2017-0898] (Closes: #875936)
       - Multiple security vulnerabilities in Rubygems (Closes: #873802)
         - DNS request hijacking vulnerability. Discovered by Jonathan
           Claudius, fix by Samuel Giddins.
           [CVE-2017-0902]
         - ANSI escape sequence vulnerability. Discovered by Yusuke Endoh,
           fix by Evan Phoenix.
           [CVE-2017-0899]
         - DOS vulernerability in the query command. Discovered by Yusuke
           Endoh, fix by Samuel Giddins.
           [CVE-2017-0900]
         - Vulnerability in the gem installer that allowed a malicious gem to
           overwrite arbitrary files. Discovered by Yusuke Endoh, fix by Samuel
           Giddins.
           [CVE-2017-0901]
         - Arbitrary heap exposure problem in the JSON library
           [CVE-2017-14064] (Closes: #873906)
         - SMTP comment injection
           [CVE-2015-9096] (Closes: #864860)
         - IV Reuse in GCM Mode in the OpenSSL bindings
           [CVE-2016-7798] (Closes: #842432)
   * Whitelist classes and symbols that are in Gem spec YAML
     [CVE-2017-0903] (Closes: #879231)
     Original patch by Aaron Patterson; backported from the standalone Rubygems
     package
   * Convert packaging from using a plain git history to using gbp-pq, thus
     making debian individual patches explicitly present in debian/patches
   * Refresh debian/libruby2.3.symbols. There are some removed symbols, but
     they are never exposed in a header file so there should be no packages
     using them.
Checksums-Sha1:
 0a663eef9e8e7887c99be32ffb1d841d9efcad04 2475 ruby2.3_2.3.5-1.dsc
 07c5db8a364db80b02a0e2b632bb7c278c84f62e 12916814 ruby2.3_2.3.5.orig.tar.gz
 49f717c776700f4e89f7d2eca7270a5e3b1c0986 96268 ruby2.3_2.3.5-1.debian.tar.xz
 bfc7dd16726802706ce9454ab72ce5adda45b082 6346 ruby2.3_2.3.5-1_source.buildinfo
Checksums-Sha256:
 ee10ece2064e88d914466587b2023f3d3faf30136d7e6c8170cd1952225f8b46 2475 ruby2.3_2.3.5-1.dsc
 c11d5f0f866e021cea7e3eaeb2f83525734c2b71d5db283e5ee3d878fb0e16cc 12916814 ruby2.3_2.3.5.orig.tar.gz
 5f75c3f3a2dec42b7228715544ec9e4fe2529a215b33689348405f9b40eabdb8 96268 ruby2.3_2.3.5-1.debian.tar.xz
 f46d5e90c8b4aee45fc8f32ea6b86b51ed9496b57c96643e2768fa044d285a39 6346 ruby2.3_2.3.5-1_source.buildinfo
Files:
 1ad047d2760c26c2d81909c31acbaa67 2475 ruby optional ruby2.3_2.3.5-1.dsc
 c06d11091cb8dc594f306909786246a9 12916814 ruby optional ruby2.3_2.3.5.orig.tar.gz
 a643704eae7f72c9524a90a0f79b39c0 96268 ruby optional ruby2.3_2.3.5-1.debian.tar.xz
 ccbe18fe4782de6640ce328073fc0667 6346 ruby optional ruby2.3_2.3.5-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEst7mYDbECCn80PEM/A2xu81GC94FAloK7i0ACgkQ/A2xu81G
C979OQ/9HmYzXEzUuL77XvZDpNdKVOYWYhmZX1y9ONresHZfypg3dSt8LGuPRpOc
U0Yz9bZzV2rvHctx+AMV+/x0eCuEprYeKi4aMeO4/iiSkdDCZX9wzaPpWraNgk1C
5QzztkmzoyjNrynHjKCxMGh0MeeeQBTbqmeT2oIMDNLPMeOTCOY0cWTBDA2vla9Z
LS2Q02LrNvqArbozu7fxFdUulJrEdpaZCba6+0Od3cb54/ChHQV5xo8mmjEEtb0x
E7drXreYW2vMdb3Fc34wBk7sosRjDVYsTKFmzp113ik7eSHxrKuWKyxQmKuv5eOm
7gyn3gDqrA4RbNXr0hklbmot4WjFxFkaFt2WaKL26vwIIE42iO1Vqen9HvcyToK5
DCGQU7ZvUIcL8xVsEq5xR4ajlXdaqbEO8SI1wOup6juqtbnqv06jGD1/NR1dttdY
MXfLFlYBVyInkB/7g1SXB6FeveAzK92fvRWV7yrRKC2plxl9WkUNSRcnln635LCh
qhb82nmk15UjzWLbNq+AUbxMGRBNv0qQKkZGmgipltB1HCIxTSqZZqzAu0jG8tYX
C8WKBPZF/lMl5FNIm91AKAZ16bQQS0z7eS2PX/TM9RLC4nHzV+d0qCIDJX8r73EN
V2kHa+3eioQd95PTijQ4zedsyOZoTkCGT0MarHTJKnUjwf2eKEY=
=WGPi
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.