Debian: DSA-3966-1: ruby2.3 security update
Debian: DSA-3966-1: ruby2.3 security update
Multiple vulnerabilities were discovered in the interpreter for the Ruby language: CVE-2015-9096
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3966-1 This email address is being protected from spambots. You need JavaScript enabled to view it. https://www.debian.org/security/ Moritz Muehlenhoff September 05, 2017 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ruby2.3 CVE ID : CVE-2015-9096 CVE-2016-7798 CVE-2017-0899 CVE-2017-0900 CVE-2017-0901 CVE-2017-0902 CVE-2017-14064 Multiple vulnerabilities were discovered in the interpreter for the Ruby language: CVE-2015-9096 SMTP command injection in Net::SMTP. CVE-2016-7798 Incorrect handling of initialization vector in the GCM mode in the OpenSSL extension. CVE-2017-0900 Denial of service in the RubyGems client. CVE-2017-0901 Potential file overwrite in the RubyGems client. CVE-2017-0902 DNS hijacking in the RubyGems client. CVE-2017-14064 Heap memory disclosure in the JSON library. For the stable distribution (stretch), these problems have been fixed in version 2.3.3-1+deb9u1. This update also hardens RubyGems against malicious termonal escape sequences (CVE-2017-0899). We recommend that you upgrade your ruby2.3 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.