openSUSE: 2019:1771-1: important: ruby-bundled-gems-rpmhelper, ruby2.5

    Date21 Jul 2019
    CategoryopenSUSE
    708
    Posted ByLinuxSecurity Advisories
    An update that solves 21 vulnerabilities and has two fixes is now available.
       openSUSE Security Update: Security update for ruby-bundled-gems-rpmhelper, ruby2.5
    ______________________________________________________________________________
    
    Announcement ID:    openSUSE-SU-2019:1771-1
    Rating:             important
    References:         #1082007 #1082008 #1082009 #1082010 #1082011 
                        #1082014 #1082058 #1087433 #1087434 #1087436 
                        #1087437 #1087440 #1087441 #1112530 #1112532 
                        #1130028 #1130611 #1130617 #1130620 #1130622 
                        #1130623 #1130627 #1133790 
    Cross-References:   CVE-2017-17742 CVE-2018-1000073 CVE-2018-1000074
                        CVE-2018-1000075 CVE-2018-1000076 CVE-2018-1000077
                        CVE-2018-1000078 CVE-2018-1000079 CVE-2018-16395
                        CVE-2018-16396 CVE-2018-6914 CVE-2018-8777
                        CVE-2018-8778 CVE-2018-8779 CVE-2018-8780
                        CVE-2019-8320 CVE-2019-8321 CVE-2019-8322
                        CVE-2019-8323 CVE-2019-8324 CVE-2019-8325
                       
    Affected Products:
                        openSUSE Leap 15.1
                        openSUSE Leap 15.0
    ______________________________________________________________________________
    
       An update that solves 21 vulnerabilities and has two fixes
       is now available.
    
    Description:
    
       This update for ruby2.5 and ruby-bundled-gems-rpmhelper fixes the
       following issues:
    
       Changes in ruby2.5:
    
       Update to 2.5.5 and 2.5.4:
    
       https://www.ruby-lang.org/en/news/2019/03/15/ruby-2-5-5-released/
       https://www.ruby-lang.org/en/news/2019/03/13/ruby-2-5-4-released/
    
       Security issues fixed:
    
       - CVE-2019-8320: Delete directory using symlink when decompressing tar
         (bsc#1130627)
       - CVE-2019-8321: Escape sequence injection vulnerability in verbose
         (bsc#1130623)
       - CVE-2019-8322: Escape sequence injection vulnerability in gem
         owner  (bsc#1130622)
       - CVE-2019-8323: Escape sequence injection vulnerability in API response
         handling  (bsc#1130620)
       - CVE-2019-8324: Installing a malicious gem may lead to arbitrary code
         execution  (bsc#1130617)
       - CVE-2019-8325: Escape sequence injection vulnerability in errors
         (bsc#1130611)
    
    
       Ruby 2.5 was updated to 2.5.3:
    
       This release includes some bug fixes and some security fixes.
    
       Security issues fixed:
    
       - CVE-2018-16396: Tainted flags are not propagated in Array#pack and
         String#unpack with some directives (bsc#1112532)
       - CVE-2018-16395: OpenSSL::X509::Name equality check does not work
         correctly (bsc#1112530)
    
       Ruby 2.5 was updated to 2.5.1:
    
       This release includes some bug fixes and some security fixes.
    
       Security issues fixed:
    
       - CVE-2017-17742: HTTP response splitting in WEBrick (bsc#1087434)
       - CVE-2018-6914: Unintentional file and directory creation with directory
         traversal in tempfile and tmpdir (bsc#1087441)
       - CVE-2018-8777: DoS by large request in WEBrick (bsc#1087436)
       - CVE-2018-8778: Buffer under-read in String#unpack (bsc#1087433)
       - CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in
         UNIXServer and UNIXSocket (bsc#1087440)
       - CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in
         Dir (bsc#1087437)
    
       - Multiple vulnerabilities in RubyGems were fixed:
    
         - CVE-2018-1000079: Fixed path traversal issue during gem installation
           allows to write to arbitrary filesystem locations (bsc#1082058)
         - CVE-2018-1000075: Fixed infinite loop vulnerability due to negative
           size in tar header causes Denial of Service (bsc#1082014)
         - CVE-2018-1000078: Fixed XSS vulnerability in homepage attribute when
           displayed via gem server (bsc#1082011)
         - CVE-2018-1000077: Fixed that missing URL validation on spec home
           attribute allows malicious gem to set an invalid homepage URL
           (bsc#1082010)
         - CVE-2018-1000076: Fixed improper verification of signatures in tarball
           allows to install mis-signed gem (bsc#1082009)
         - CVE-2018-1000074: Fixed unsafe Object Deserialization Vulnerability in
           gem owner allowing arbitrary code execution on specially crafted YAML
           (bsc#1082008)
         - CVE-2018-1000073: Fixed path traversal when writing to a symlinked
           basedir outside of the root (bsc#1082007)
    
       Other changes:
    
       - Fixed Net::POPMail methods modify frozen literal when using default arg
       - ruby: change over of the Japanese Era to the new emperor May 1st 2019
         (bsc#1133790)
       - build with PIE support (bsc#1130028)
    
    
       Changes in ruby-bundled-gems-rpmhelper:
    
       - Add a new helper for bundled ruby gems.
    
       This update was imported from the SUSE:SLE-15:Update update project.
    
    
    Patch Instructions:
    
       To install this openSUSE Security Update use the SUSE recommended installation methods
       like YaST online_update or "zypper patch".
    
       Alternatively you can run the command listed for your product:
    
       - openSUSE Leap 15.1:
    
          zypper in -t patch openSUSE-2019-1771=1
    
       - openSUSE Leap 15.0:
    
          zypper in -t patch openSUSE-2019-1771=1
    
    
    
    Package List:
    
       - openSUSE Leap 15.1 (noarch):
    
          ruby-bundled-gems-rpmhelper-0.0.2-lp151.2.1
          ruby2.5-doc-ri-2.5.5-lp151.4.3.1
    
       - openSUSE Leap 15.1 (x86_64):
    
          libruby2_5-2_5-2.5.5-lp151.4.3.1
          libruby2_5-2_5-debuginfo-2.5.5-lp151.4.3.1
          ruby2.5-2.5.5-lp151.4.3.1
          ruby2.5-debuginfo-2.5.5-lp151.4.3.1
          ruby2.5-debugsource-2.5.5-lp151.4.3.1
          ruby2.5-devel-2.5.5-lp151.4.3.1
          ruby2.5-devel-extra-2.5.5-lp151.4.3.1
          ruby2.5-doc-2.5.5-lp151.4.3.1
          ruby2.5-stdlib-2.5.5-lp151.4.3.1
          ruby2.5-stdlib-debuginfo-2.5.5-lp151.4.3.1
    
       - openSUSE Leap 15.0 (noarch):
    
          ruby-bundled-gems-rpmhelper-0.0.2-lp150.2.1
          ruby2.5-doc-ri-2.5.5-lp150.3.3.1
    
       - openSUSE Leap 15.0 (x86_64):
    
          libruby2_5-2_5-2.5.5-lp150.3.3.1
          libruby2_5-2_5-debuginfo-2.5.5-lp150.3.3.1
          ruby2.5-2.5.5-lp150.3.3.1
          ruby2.5-debuginfo-2.5.5-lp150.3.3.1
          ruby2.5-debugsource-2.5.5-lp150.3.3.1
          ruby2.5-devel-2.5.5-lp150.3.3.1
          ruby2.5-devel-extra-2.5.5-lp150.3.3.1
          ruby2.5-doc-2.5.5-lp150.3.3.1
          ruby2.5-stdlib-2.5.5-lp150.3.3.1
          ruby2.5-stdlib-debuginfo-2.5.5-lp150.3.3.1
    
    
    References:
    
       https://www.suse.com/security/cve/CVE-2017-17742.html
       https://www.suse.com/security/cve/CVE-2018-1000073.html
       https://www.suse.com/security/cve/CVE-2018-1000074.html
       https://www.suse.com/security/cve/CVE-2018-1000075.html
       https://www.suse.com/security/cve/CVE-2018-1000076.html
       https://www.suse.com/security/cve/CVE-2018-1000077.html
       https://www.suse.com/security/cve/CVE-2018-1000078.html
       https://www.suse.com/security/cve/CVE-2018-1000079.html
       https://www.suse.com/security/cve/CVE-2018-16395.html
       https://www.suse.com/security/cve/CVE-2018-16396.html
       https://www.suse.com/security/cve/CVE-2018-6914.html
       https://www.suse.com/security/cve/CVE-2018-8777.html
       https://www.suse.com/security/cve/CVE-2018-8778.html
       https://www.suse.com/security/cve/CVE-2018-8779.html
       https://www.suse.com/security/cve/CVE-2018-8780.html
       https://www.suse.com/security/cve/CVE-2019-8320.html
       https://www.suse.com/security/cve/CVE-2019-8321.html
       https://www.suse.com/security/cve/CVE-2019-8322.html
       https://www.suse.com/security/cve/CVE-2019-8323.html
       https://www.suse.com/security/cve/CVE-2019-8324.html
       https://www.suse.com/security/cve/CVE-2019-8325.html
       https://bugzilla.suse.com/1082007
       https://bugzilla.suse.com/1082008
       https://bugzilla.suse.com/1082009
       https://bugzilla.suse.com/1082010
       https://bugzilla.suse.com/1082011
       https://bugzilla.suse.com/1082014
       https://bugzilla.suse.com/1082058
       https://bugzilla.suse.com/1087433
       https://bugzilla.suse.com/1087434
       https://bugzilla.suse.com/1087436
       https://bugzilla.suse.com/1087437
       https://bugzilla.suse.com/1087440
       https://bugzilla.suse.com/1087441
       https://bugzilla.suse.com/1112530
       https://bugzilla.suse.com/1112532
       https://bugzilla.suse.com/1130028
       https://bugzilla.suse.com/1130611
       https://bugzilla.suse.com/1130617
       https://bugzilla.suse.com/1130620
       https://bugzilla.suse.com/1130622
       https://bugzilla.suse.com/1130623
       https://bugzilla.suse.com/1130627
       https://bugzilla.suse.com/1133790
    
    -- 
    

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"8","type":"x","order":"1","pct":61.54,"resources":[]},{"id":"88","title":"Should be more technical","votes":"3","type":"x","order":"2","pct":23.08,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"2","type":"x","order":"3","pct":15.38,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.