Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities

Related Vulnerabilities: CVE-2009-5147   CVE-2015-1855   CVE-2015-7551   CVE-2015-9096   CVE-2016-2337   CVE-2016-2339   CVE-2016-7798  

Several security issues were fixed in Ruby.

It was discovered that Ruby DL::dlopen incorrectly handled opening libraries. An attacker could possibly use this issue to open libraries with tainted names. This issue only applied to Ubuntu 14.04 LTS. (CVE-2009-5147)

Source

25 July 2017

ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Ruby.

Software Description

  • ruby2.3 - Object-oriented scripting language
  • ruby1.9.1 - Object-oriented scripting language
  • ruby2.0 - Object-oriented scripting language

Details

It was discovered that Ruby DL::dlopen incorrectly handled opening libraries. An attacker could possibly use this issue to open libraries with tainted names. This issue only applied to Ubuntu 14.04 LTS. (CVE-2009-5147)

Tony Arcieri, Jeffrey Walton, and Steffan Ullrich discovered that the Ruby OpenSSL extension incorrectly handled hostname wildcard matching. This issue only applied to Ubuntu 14.04 LTS. (CVE-2015-1855)

Christian Hofstaedtler discovered that Ruby Fiddle::Handle incorrectly handled certain crafted strings. An attacker could use this issue to cause a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS. (CVE-2015-7551)

It was discovered that Ruby Net::SMTP incorrectly handled CRLF sequences. A remote attacker could possibly use this issue to inject SMTP commands. (CVE-2015-9096)

Marcin Noga discovered that Ruby incorrectly handled certain arguments in a TclTkIp class method. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2016-2337)

It was discovered that Ruby Fiddle::Function.new incorrectly handled certain arguments. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2016-2339)

It was discovered that Ruby incorrectly handled the initialization vector (IV) in GCM mode. An attacker could possibly use this issue to bypass encryption. (CVE-2016-7798)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 17.04
libruby2.3 - 2.3.3-1ubuntu0.1
ruby2.3 - 2.3.3-1ubuntu0.1
Ubuntu 16.04 LTS
libruby2.3 - 2.3.1-2~16.04.2
ruby2.3 - 2.3.1-2~16.04.2
Ubuntu 14.04 LTS
libruby1.9.1 - 1.9.3.484-2ubuntu1.3
libruby2.0 - 2.0.0.484-1ubuntu2.4
ruby1.9.1 - 1.9.3.484-2ubuntu1.3
ruby2.0 - 2.0.0.484-1ubuntu2.4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started