Several security issues were fixed in Ruby ...
Multiple vulnerabilities were discovered in the interpreter for the Ruby
language:
CVE-2015-9096
SMTP command injection in Net::SMTP
CVE-2016-7798
Incorrect handling of initialization vector in the GCM mode in the
OpenSSL extension
CVE-2017-0900
Denial of service in the RubyGems client
CVE-2017-0901
Potential file overwrite ...
Synopsis
Moderate: rh-ruby24-ruby security, bug fix, and enhancement update
Type/Severity
Security Advisory: Moderate
Topic
An update for rh-ruby24-ruby is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerab ...
Synopsis
Important: rh-ruby23-ruby security, bug fix, and enhancement update
Type/Severity
Security Advisory: Important
Topic
An update for rh-ruby23-ruby is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Important A Common Vulne ...
Synopsis
Important: ruby security update
Type/Severity
Security Advisory: Important
Topic
An update for ruby is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, which ...
Synopsis
Important: rh-ruby22-ruby security, bug fix, and enhancement update
Type/Severity
Security Advisory: Important
Topic
An update for rh-ruby22-ruby is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Important A Common Vulne ...
Debian Bug report logs -
#873906
ruby23: CVE-2017-14064
Package:
src:ruby23;
Maintainer for src:ruby23 is Antonio Terceiro <terceiro@debianorg>;
Reported by: Salvatore Bonaccorso <carnil@debianorg>
Date: Fri, 1 Sep 2017 05:27:01 UTC
Severity: grave
Tags: patch, security, upstream
Found in version ruby23/233 ...
Debian Bug report logs -
#875928
ruby23: CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode
Package:
src:ruby23;
Maintainer for src:ruby23 is Antonio Terceiro <terceiro@debianorg>;
Reported by: Salvatore Bonaccorso <carnil@debianorg>
Date: Sat, 16 Sep 2017 08:39:01 UTC
Severity: serious
Tags: s ...
Debian Bug report logs -
#842432
ruby23: CVE-2016-7798: IV Reuse in GCM Mode
Package:
src:ruby23;
Maintainer for src:ruby23 is Antonio Terceiro <terceiro@debianorg>;
Reported by: Salvatore Bonaccorso <carnil@debianorg>
Date: Sat, 29 Oct 2016 06:45:01 UTC
Severity: serious
Tags: fixed-upstream, patch, security, u ...
Debian Bug report logs -
#875931
ruby23: CVE-2017-10784: Escape sequence injection vulnerability in the Basic authentication of WEBrick
Package:
src:ruby23;
Maintainer for src:ruby23 is Antonio Terceiro <terceiro@debianorg>;
Reported by: Salvatore Bonaccorso <carnil@debianorg>
Date: Sat, 16 Sep 2017 08:51:04 UTC
...
Debian Bug report logs -
#873802
Multiple vulnerabilities in rubygems (CVE-2017-0899 to CVE-2017-0902)
Package:
src:ruby23;
Maintainer for src:ruby23 is Antonio Terceiro <terceiro@debianorg>;
Reported by: Raphael Hertzog <hertzog@debianorg>
Date: Thu, 31 Aug 2017 10:18:02 UTC
Severity: serious
Tags: security, ups ...
Debian Bug report logs -
#879231
ruby23: CVE-2017-0903: Unsafe object deserialization through YAML formatted gem specifications
Package:
src:ruby23;
Maintainer for src:ruby23 is Antonio Terceiro <terceiro@debianorg>;
Reported by: Salvatore Bonaccorso <carnil@debianorg>
Date: Fri, 20 Oct 2017 19:36:01 UTC
Severit ...
Debian Bug report logs -
#864860
ruby23: CVE-2015-9096: SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM commands in Net::SMTP
Package:
src:ruby23;
Maintainer for src:ruby23 is Antonio Terceiro <terceiro@debianorg>;
Reported by: Salvatore Bonaccorso <carnil@debianorg>
Date: Fri, 16 Jun 2017 07:21 ...
Debian Bug report logs -
#875936
ruby23: CVE-2017-0898: Buffer underrun vulnerability in Kernelsprintf
Package:
src:ruby23;
Maintainer for src:ruby23 is Antonio Terceiro <terceiro@debianorg>;
Reported by: Salvatore Bonaccorso <carnil@debianorg>
Date: Sat, 16 Sep 2017 09:18:05 UTC
Severity: serious
Tags: securit ...
Arbitrary heap exposure during a JSONgenerate callRuby through 227, 23x through 234, and 24x through 241 can expose arbitrary memory during a JSONgenerate call The issues lies in using strdup in ext/json/ext/generator/generatorc, which will stop after encountering a '\\0' byte, returning a pointer to a string of length zero, which is ...
SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM commands in Net::SMTPA SMTP command injection flaw was found in the way Ruby's Net::SMTP module handled CRLF sequences in certain SMTP commands An attacker could potentially use this flaw to inject SMTP commands in a SMTP session in order to facilitate phishing attacks or spam campa ...
It was found that rubygems could use an excessive amount of CPU while parsing a sufficiently long gem summary A specially crafted gem from a gem repository could freeze gem commands attempting to parse its summary ...