Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 534
Alerts This Week
Warning Icon 1 534

Debian 7 DLA-1358-1 Moderate: Ruby1.9.1 DoS and XSS Issues

debian lts
Calendar Grey April 23, 2018
Dist Debian Esm H88
Enhance ruby1.9.1 on Debian 7 to address severe problems such as DoS and XSS security flaws. Safeguard your environment!
Multiple vulnerabilities were found in the interpreter for the Ruby language

Summary

Aaron Patterson reported that WEBrick bundled with Ruby was vulnerable to
an HTTP response splitting vulnerability. It was possible for an attacker
to inject fake HTTP responses if a script accepted an external input and
output it without modifications.

CVE-2018-6914

ooooooo_q discovered a directory traversal vulnerability in the
Dir.mktmpdir method in the tmpdir library. It made it possible for
attackers to create arbitrary directories or files via a .. (dot dot) in
the prefix argument.

CVE-2018-8777

Eric Wong reported an out-of-memory DoS vulnerability related to a large
request in WEBrick bundled with Ruby.

CVE-2018-8778

aerodudrizzt found a buffer under-read vulnerability in the Ruby
String#unpack method. If a big number was passed with the specifier @,
the number was treated as a negative value, and an out-of-buffer read
occurred. Attackers could read data on heaps if an script accepts an
external input as the argument of String#unpack.

Read the Full Advisory


<pre><font face="Courier">Package: ruby1.9.1
Version: 1.9.3.194-8.1+deb7u8
CVE ID: CVE-2017-17742 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.