Debian: DSA-3966-1: ruby2.3 security update

Multiple vulnerabilities were discovered in the interpreter for the Ruby language: CVE-2015-9096

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3966-1                   This email address is being protected from spambots. You need JavaScript enabled to view it.
https://www.debian.org/security/                       Moritz Muehlenhoff
September 05, 2017                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ruby2.3
CVE ID         : CVE-2015-9096 CVE-2016-7798 CVE-2017-0899 CVE-2017-0900 
                 CVE-2017-0901 CVE-2017-0902 CVE-2017-14064

Multiple vulnerabilities were discovered in the interpreter for the Ruby
language:

CVE-2015-9096

    SMTP command injection in Net::SMTP.

CVE-2016-7798

    Incorrect handling of initialization vector in the GCM mode in the
    OpenSSL extension.

CVE-2017-0900

    Denial of service in the RubyGems client.

CVE-2017-0901

    Potential file overwrite in the RubyGems client.

CVE-2017-0902

    DNS hijacking in the RubyGems client.

CVE-2017-14064

    Heap memory disclosure in the JSON library.

For the stable distribution (stretch), these problems have been fixed in
version 2.3.3-1+deb9u1. This update also hardens RubyGems against
malicious termonal escape sequences (CVE-2017-0899).

We recommend that you upgrade your ruby2.3 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.