Alerts This Week
Warning Icon 1 640
Alerts This Week
Warning Icon 1 640

Debian LTS: DLA-1336-1 Critical Rubygems Update for Multiple Issues

debian lts
Calendar Grey April 1, 2018
Dist Debian Esm H88
Several vulnerabilities addressed in Ruby's gem management tool, rubygems. Update to version 1.8.24-1+deb7u2 to enhance your system's security.
Multiple vulnerabilities were found in rubygems, a package management framework for Ruby

Summary

A negative size vulnerability in ruby gem package tar header that could
cause an infinite loop.

CVE-2018-1000076

Ruby gems package improperly verifies cryptographic signatures. A mis-signed
gem could be installed if the tarball contains multiple gem signatures.

CVE-2018-1000077

An improper input validation vulnerability in ruby gems specification
homepage attribute could allow malicious gem to set an invalid homepage
URL.

CVE-2018-1000078

Cross Site Scripting (XSS) vulnerability in gem server display of homepage
attribute

For Debian 7 "Wheezy", these problems have been fixed in version
1.8.24-1+deb7u2.

We recommend that you upgrade your rubygems packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Severity
critical
Lowest
Low
Medium
High
Critical

<pre><font face="Courier">Package: rubygems
Version: 1.8.24-1+deb7u2
CVE ID: CVE-2018-1000075 CVE-2018-1000076 CVE-2018-1000077 CVE-2018-1000078

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here