MGASA-2018-0411 - Updated ruby packages fix security vulnerability

Publication date: 26 Oct 2018
URL: https://advisories.mageia.org/MGASA-2018-0411.html
Type: security
Affected Mageia releases: 6
CVE: CVE-2017-17742,
     CVE-2018-6914,
     CVE-2018-8777,
     CVE-2018-8778,
     CVE-2018-8779,
     CVE-2018-8780,
     CVE-2018-16395,
     CVE-2018-16396

Ruby before 2.2.10 allows an HTTP Response Splitting attack. An attacker
can inject a crafted key and value into an HTTP response for the HTTP
server of WEBrick (CVE-2017-17742).

Directory traversal vulnerability in the Dir.mktmpdir method in the tmpdir
library in Ruby before 2.2.10 might allow attackers to create arbitrary
directories or files via a .. (dot dot) in the prefix argument
(CVE-2018-6914).

In Ruby before 2.2.10, an attacker can pass a large HTTP request with a
crafted header to WEBrick server or a crafted body to WEBrick
server/handler and cause a denial of service (memory consumption)
(CVE-2018-8777).

In Ruby before 2.2.10, an attacker controlling the unpacking format
(similar to format string vulnerabilities) can trigger a buffer under-read
in the String#unpack method, resulting in a massive and controlled
information disclosure (CVE-2018-8778).

In Ruby before 2.2.10, the UNIXServer.open and UNIXSocket.open methods are
not checked for null characters. It may be connected to an unintended
socket (CVE-2018-8779).

In Ruby before 2.2.10, the Dir.open, Dir.new, Dir.entries and Dir.empty?
methods do not check NULL characters. When using the corresponding method,
unintentional directory traversal may be performed (CVE-2018-8780).

Due to a bug in the equality check of OpenSSL::X509::Name, if a malicious
X.509 certificate is passed to compare with an existing certificate, there
is a possibility to be judged incorrectly that they are equal
(CVE-2018-16395).

In Array#pack and String#unpack with some formats, the tainted flags of
the original data are not propagated to the returned string/array
(CVE-2018-16396).

References:
- https://bugs.mageia.org/show_bug.cgi?id=22844
- https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/
- https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/
- https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/
- https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/
- https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/
- https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/
- https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/
- https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/
- https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17742
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6914
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8777
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8778
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8779
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8780
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16395
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16396

SRPMS:
- 6/core/ruby-2.2.10-16.1.mga6

Mageia 2018-0411: ruby security update

Ruby before 2.2.10 allows an HTTP Response Splitting attack

Summary

Ruby before 2.2.10 allows an HTTP Response Splitting attack. An attacker can inject a crafted key and value into an HTTP response for the HTTP server of WEBrick (CVE-2017-17742).
Directory traversal vulnerability in the Dir.mktmpdir method in the tmpdir library in Ruby before 2.2.10 might allow attackers to create arbitrary directories or files via a .. (dot dot) in the prefix argument (CVE-2018-6914).
In Ruby before 2.2.10, an attacker can pass a large HTTP request with a crafted header to WEBrick server or a crafted body to WEBrick server/handler and cause a denial of service (memory consumption) (CVE-2018-8777).
In Ruby before 2.2.10, an attacker controlling the unpacking format (similar to format string vulnerabilities) can trigger a buffer under-read in the String#unpack method, resulting in a massive and controlled information disclosure (CVE-2018-8778).
In Ruby before 2.2.10, the UNIXServer.open and UNIXSocket.open methods are not checked for null characters. It may be connected to an unintended socket (CVE-2018-8779).
In Ruby before 2.2.10, the Dir.open, Dir.new, Dir.entries and Dir.empty? methods do not check NULL characters. When using the corresponding method, unintentional directory traversal may be performed (CVE-2018-8780).
Due to a bug in the equality check of OpenSSL::X509::Name, if a malicious X.509 certificate is passed to compare with an existing certificate, there is a possibility to be judged incorrectly that they are equal (CVE-2018-16395).
In Array#pack and String#unpack with some formats, the tainted flags of the original data are not propagated to the returned string/array (CVE-2018-16396).

References

- https://bugs.mageia.org/show_bug.cgi?id=22844

- https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/

- https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/

- https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/

- https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/

- https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/

- https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/

- https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/

- https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/

- https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released/

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17742

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6914

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8777

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8778

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8779

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8780

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16395

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16396

Resolution

MGASA-2018-0411 - Updated ruby packages fix security vulnerability

SRPMS

- 6/core/ruby-2.2.10-16.1.mga6

Severity
Publication date: 26 Oct 2018
URL: https://advisories.mageia.org/MGASA-2018-0411.html
Type: security
CVE: CVE-2017-17742, CVE-2018-6914, CVE-2018-8777, CVE-2018-8778, CVE-2018-8779, CVE-2018-8780, CVE-2018-16395, CVE-2018-16396

Related News

Defending Against Remote Code Execution in Google Chrome: A Critical Update
2 - 3 min read
Google Chrome, a widely used web browser, serves millions of internet users by connecting them to the online world. Unfortunately, severe
Navigating the Linux Kernel
2 - 4 min read
The Linux operating system, widely acclaimed for its robustness and security , recently received widespread media attention due to a significant
Staying a Step Ahead of Adversaries: Mitigating Chromium
2 - 4 min read
Google Chrome, one of the world's most widely used web browsers, has recently been scrutinized due to the discovery of multiple Chromium
Unmasking Cicada3301: Examining the Threat of the New Rust-Based Ransomware
2 - 4 min read
Ransomware has long been a severe threat to organizations and admins alike. Recently, cybersecurity researchers discovered a new variant called
Buffer Overflow Exploits in Linux: Origins, Impact, and Countermeasures
3 - 6 min read
Buffer overflow vulnerabilities have long been one of the biggest headaches in computer security, especially on Linux operating systems that power
8 Expert-Recommended Security Practices to Fortify Your Linux Systems
4 - 8 min read
As a Linux admin or an infosec professional, you understand how the security landscape changes due to evolving threats, newly discovered
Open Source Strategies for Enhancing Security in Digital Business Operations
5 - 9 min read
Digital transformation, powered by the principles of open-source security , is vital for businesses looking to excel in today's technology-driven
Microsoft Update Mayhem: Rescuing Linux Dual-Boot Systems from Secure Boot Woes
2 - 4 min read
Microsoft's recent patch, intended to strengthen Secure Boot defenses, has resulted in an unexpected setback for Linux-Windows dual-boot setups

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved