Alerts This Week
Warning Icon 1 637
Alerts This Week
Warning Icon 1 637

openSUSE 42.1, 42.2: 2017:1128-1 Critical: Ruby2.1 Heap Overflow

opensuse
Calendar Grey April 28, 2017
Dist Opensuse Esm H88
Crucial notice for openSUSE addressing 5 vulnerabilities in ruby2.1, bolstering system security for users.
An update that solves 5 vulnerabilities and has three fixes An update that solves 5 vulnerabilities and has three fixes An update that solves 5 vulnerabilities and has three fixes ...

Description

This ruby2.1 update to version 2.1.9 fixes the following issues:

Security issues fixed:

- CVE-2016-2339: heap overflow vulnerability in the

Fiddle::Function.new"initialize" (bsc#1018808)

- CVE-2015-7551: Unsafe tainted string usage in Fiddle and DL (bsc#959495)

- CVE-2015-3900: hostname validation does not work when fetching gems or

making API requests (bsc#936032)

- CVE-2015-1855: Ruby'a OpenSSL extension suffers a vulnerability through

overly permissive matching of hostnames (bsc#926974)

- CVE-2014-4975: off-by-one stack-based buffer overflow in the encodes()

function (bsc#887877)

Bugfixes:

- SUSEconnect doesn't handle domain wildcards in no_proxy environment

variable properly (bsc#1014863)

- Segmentation fault after pack & ioctl & unpack (bsc#909695)

- Ruby:HTTP Header injection in 'net/http' (bsc#986630)

ChangeLog:

-

This update was imported from the SUSE:SLE-12:Update update project.

Topics%20covered

Topics Covered

security advisory buffer overflow critical DoS heap overflow ruby openSUSE

Patch

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.2:

zypper in -t patch openSUSE-2017-527=1

- openSUSE Leap 42.1:

zypper in -t patch openSUSE-2017-527=1

To bring your system up-to-date, use "zypper patch".

Package List

- openSUSE Leap 42.2 (i586 x86_64):

libruby2_1-2_1-2.1.9-8.3.2

libruby2_1-2_1-debuginfo-2.1.9-8.3.2

ruby2.1-2.1.9-8.3.2

ruby2.1-debuginfo-2.1.9-8.3.2

ruby2.1-debugsource-2.1.9-8.3.2

ruby2.1-devel-2.1.9-8.3.2

ruby2.1-devel-extra-2.1.9-8.3.2

ruby2.1-doc-2.1.9-8.3.2

ruby2.1-stdlib-2.1.9-8.3.2

ruby2.1-stdlib-debuginfo-2.1.9-8.3.2

- openSUSE Leap 42.2 (noarch):

ruby2.1-doc-ri-2.1.9-8.3.2

- openSUSE Leap 42.1 (i586 x86_64):

libruby2_1-2_1-2.1.9-10.2

libruby2_1-2_1-debuginfo-2.1.9-10.2

ruby2.1-2.1.9-10.2

ruby2.1-debuginfo-2.1.9-10.2

ruby2.1-debugsource-2.1.9-10.2

ruby2.1-devel-2.1.9-10.2

ruby2.1-devel-extra-2.1.9-10.2

ruby2.1-doc-2.1.9-10.2

ruby2.1-stdlib-2.1.9-10.2

ruby2.1-stdlib-debuginfo-2.1.9-10.2

- openSUSE Leap 42.1 (noarch):

ruby2.1-doc-ri-2.1.9-10.2

References

https://www.suse.com/security/cve/CVE-2014-4975.html

https://www.suse.com/security/cve/CVE-2015-1855.html

https://www.suse.com/security/cve/CVE-2015-3900.html

https://www.suse.com/security/cve/CVE-2015-7551.html

https://www.suse.com/security/cve/CVE-2016-2339.html

https://bugzilla.suse.com/1014863

https://bugzilla.suse.com/1018808

https://bugzilla.suse.com/887877

https://bugzilla.suse.com/909695

https://bugzilla.suse.com/926974

https://bugzilla.suse.com/936032

https://bugzilla.suse.com/959495

https://bugzilla.suse.com/986630

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2017:1128-1
Rating: important
Affected Products: openSUSE Leap 42.2 openSUSE Leap 42.1

Topics%20covered

Topics Covered

security advisory buffer overflow critical DoS heap overflow ruby openSUSE

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here