Red Hat: RHSA-2018-0585-01 Important: Ruby Command Injection Risk Moderate
Mar 26, 2018
•
LinuxSecurity Advisories
7 - 14 min read
Topics Covered
An update for rh-ruby23-ruby is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
==================================================================== Red Hat Security Advisory
Synopsis: Important: rh-ruby23-ruby security, bug fix, and enhancement update
Advisory ID: RHSA-2018:0585-01
Product: Red Hat Software Collections
Advisory URL: https://access.redhat.com/errata/RHSA-2018:0585
Issue date: 2018-03-26
CVE Names: CVE-2017-0898 CVE-2017-0899 CVE-2017-0900
CVE-2017-0901 CVE-2017-0902 CVE-2017-0903
CVE-2017-10784 CVE-2017-14033 CVE-2017-14064
CVE-2017-17405 CVE-2017-17790
====================================================================
1. Summary:
An update for rh-ruby23-ruby is now available for Red Hat Software
Collections.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64
3. Description:
Ruby is an extensible, interpreted, object-oriented, scripting language. It
has features to process text files and to perform system management tasks.
The following packages have been upgraded to a later upstream version:
rh-ruby23-ruby (2.3.6), rh-ruby23-rubygems (2.5.2.2),
rh-ruby23-rubygem-json (1.8.3.1), rh-ruby23-rubygem-minitest (5.8.5),
rh-ruby23-rubygem-psych (2.1.0.1). (BZ#1549649)
Security Fix(es):
* ruby: Command injection vulnerability in Net::FTP (CVE-2017-17405)
* ruby: Buffer underrun vulnerability in Kernel.sprintf (CVE-2017-0898)
* rubygems: Arbitrary file overwrite due to incorrect validation of
specification name (CVE-2017-0901)
* rubygems: DNS hijacking vulnerability (CVE-2017-0902)
* rubygems: Unsafe object deserialization through YAML formatted gem
specifications (CVE-2017-0903)
* ruby: Escape sequence injection vulnerability in the Basic authentication
of WEBrick (CVE-2017-10784)
* ruby: Buffer underrun in OpenSSL ASN1 decode (CVE-2017-14033)
* rubygems: Escape sequence in the "summary" field of gemspec
(CVE-2017-0899)
* rubygems: No size limit in summary length of gem spec (CVE-2017-0900)
* ruby: Arbitrary heap exposure during a JSON.generate call
(CVE-2017-14064)
* ruby: Command injection in lib/resolv.rb:lazy_initialize() allows
arbitrary code execution (CVE-2017-17790)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1487552 - CVE-2017-14064 ruby: Arbitrary heap exposure during a JSON.generate call
1487587 - CVE-2017-0901 rubygems: Arbitrary file overwrite due to incorrect validation of specification name
1487588 - CVE-2017-0900 rubygems: No size limit in summary length of gem spec
1487589 - CVE-2017-0902 rubygems: DNS hijacking vulnerability
1487590 - CVE-2017-0899 rubygems: Escape sequence in the "summary" field of gemspec
1491866 - CVE-2017-14033 ruby: Buffer underrun in OpenSSL ASN1 decode
1492012 - CVE-2017-10784 ruby: Escape sequence injection vulnerability in the Basic authentication of WEBrick
1492015 - CVE-2017-0898 ruby: Buffer underrun vulnerability in Kernel.sprintf
1500488 - CVE-2017-0903 rubygems: Unsafe object deserialization through YAML formatted gem specifications
1526189 - CVE-2017-17405 ruby: Command injection vulnerability in Net::FTP
1528218 - CVE-2017-17790 ruby: Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code execution
1549649 - Rebase to the latest Ruby 2.3 point release
6. Package List:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6):
Source:
rh-ruby23-ruby-2.3.6-67.el6.src.rpm
noarch:
rh-ruby23-ruby-doc-2.3.6-67.el6.noarch.rpm
rh-ruby23-ruby-irb-2.3.6-67.el6.noarch.rpm
rh-ruby23-rubygem-minitest-5.8.5-67.el6.noarch.rpm
rh-ruby23-rubygem-power_assert-0.2.6-67.el6.noarch.rpm
rh-ruby23-rubygem-rake-10.4.2-67.el6.noarch.rpm
rh-ruby23-rubygem-rdoc-4.2.1-67.el6.noarch.rpm
rh-ruby23-rubygem-test-unit-3.1.5-67.el6.noarch.rpm
rh-ruby23-rubygems-2.5.2.2-67.el6.noarch.rpm
rh-ruby23-rubygems-devel-2.5.2.2-67.el6.noarch.rpm
x86_64:
rh-ruby23-ruby-2.3.6-67.el6.x86_64.rpm
rh-ruby23-ruby-debuginfo-2.3.6-67.el6.x86_64.rpm
rh-ruby23-ruby-devel-2.3.6-67.el6.x86_64.rpm
rh-ruby23-ruby-libs-2.3.6-67.el6.x86_64.rpm
rh-ruby23-ruby-tcltk-2.3.6-67.el6.x86_64.rpm
rh-ruby23-rubygem-bigdecimal-1.2.8-67.el6.x86_64.rpm
rh-ruby23-rubygem-did_you_mean-1.0.0-67.el6.x86_64.rpm
rh-ruby23-rubygem-io-console-0.4.5-67.el6.x86_64.rpm
rh-ruby23-rubygem-json-1.8.3.1-67.el6.x86_64.rpm
rh-ruby23-rubygem-net-telnet-0.1.1-67.el6.x86_64.rpm
rh-ruby23-rubygem-psych-2.1.0.1-67.el6.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7):
Source:
rh-ruby23-ruby-2.3.6-67.el6.src.rpm
noarch:
rh-ruby23-ruby-doc-2.3.6-67.el6.noarch.rpm
rh-ruby23-ruby-irb-2.3.6-67.el6.noarch.rpm
rh-ruby23-rubygem-minitest-5.8.5-67.el6.noarch.rpm
rh-ruby23-rubygem-power_assert-0.2.6-67.el6.noarch.rpm
rh-ruby23-rubygem-rake-10.4.2-67.el6.noarch.rpm
rh-ruby23-rubygem-rdoc-4.2.1-67.el6.noarch.rpm
rh-ruby23-rubygem-test-unit-3.1.5-67.el6.noarch.rpm
rh-ruby23-rubygems-2.5.2.2-67.el6.noarch.rpm
rh-ruby23-rubygems-devel-2.5.2.2-67.el6.noarch.rpm
x86_64:
rh-ruby23-ruby-2.3.6-67.el6.x86_64.rpm
rh-ruby23-ruby-debuginfo-2.3.6-67.el6.x86_64.rpm
rh-ruby23-ruby-devel-2.3.6-67.el6.x86_64.rpm
rh-ruby23-ruby-libs-2.3.6-67.el6.x86_64.rpm
rh-ruby23-ruby-tcltk-2.3.6-67.el6.x86_64.rpm
rh-ruby23-rubygem-bigdecimal-1.2.8-67.el6.x86_64.rpm
rh-ruby23-rubygem-did_you_mean-1.0.0-67.el6.x86_64.rpm
rh-ruby23-rubygem-io-console-0.4.5-67.el6.x86_64.rpm
rh-ruby23-rubygem-json-1.8.3.1-67.el6.x86_64.rpm
rh-ruby23-rubygem-net-telnet-0.1.1-67.el6.x86_64.rpm
rh-ruby23-rubygem-psych-2.1.0.1-67.el6.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6):
Source:
rh-ruby23-ruby-2.3.6-67.el6.src.rpm
noarch:
rh-ruby23-ruby-doc-2.3.6-67.el6.noarch.rpm
rh-ruby23-ruby-irb-2.3.6-67.el6.noarch.rpm
rh-ruby23-rubygem-minitest-5.8.5-67.el6.noarch.rpm
rh-ruby23-rubygem-power_assert-0.2.6-67.el6.noarch.rpm
rh-ruby23-rubygem-rake-10.4.2-67.el6.noarch.rpm
rh-ruby23-rubygem-rdoc-4.2.1-67.el6.noarch.rpm
rh-ruby23-rubygem-test-unit-3.1.5-67.el6.noarch.rpm
rh-ruby23-rubygems-2.5.2.2-67.el6.noarch.rpm
rh-ruby23-rubygems-devel-2.5.2.2-67.el6.noarch.rpm
x86_64:
rh-ruby23-ruby-2.3.6-67.el6.x86_64.rpm
rh-ruby23-ruby-debuginfo-2.3.6-67.el6.x86_64.rpm
rh-ruby23-ruby-devel-2.3.6-67.el6.x86_64.rpm
rh-ruby23-ruby-libs-2.3.6-67.el6.x86_64.rpm
rh-ruby23-ruby-tcltk-2.3.6-67.el6.x86_64.rpm
rh-ruby23-rubygem-bigdecimal-1.2.8-67.el6.x86_64.rpm
rh-ruby23-rubygem-did_you_mean-1.0.0-67.el6.x86_64.rpm
rh-ruby23-rubygem-io-console-0.4.5-67.el6.x86_64.rpm
rh-ruby23-rubygem-json-1.8.3.1-67.el6.x86_64.rpm
rh-ruby23-rubygem-net-telnet-0.1.1-67.el6.x86_64.rpm
rh-ruby23-rubygem-psych-2.1.0.1-67.el6.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):
Source:
rh-ruby23-ruby-2.3.6-67.el7.src.rpm
noarch:
rh-ruby23-ruby-doc-2.3.6-67.el7.noarch.rpm
rh-ruby23-ruby-irb-2.3.6-67.el7.noarch.rpm
rh-ruby23-rubygem-minitest-5.8.5-67.el7.noarch.rpm
rh-ruby23-rubygem-power_assert-0.2.6-67.el7.noarch.rpm
rh-ruby23-rubygem-rake-10.4.2-67.el7.noarch.rpm
rh-ruby23-rubygem-rdoc-4.2.1-67.el7.noarch.rpm
rh-ruby23-rubygem-test-unit-3.1.5-67.el7.noarch.rpm
rh-ruby23-rubygems-2.5.2.2-67.el7.noarch.rpm
rh-ruby23-rubygems-devel-2.5.2.2-67.el7.noarch.rpm
x86_64:
rh-ruby23-ruby-2.3.6-67.el7.x86_64.rpm
rh-ruby23-ruby-debuginfo-2.3.6-67.el7.x86_64.rpm
rh-ruby23-ruby-devel-2.3.6-67.el7.x86_64.rpm
rh-ruby23-ruby-libs-2.3.6-67.el7.x86_64.rpm
rh-ruby23-ruby-tcltk-2.3.6-67.el7.x86_64.rpm
rh-ruby23-rubygem-bigdecimal-1.2.8-67.el7.x86_64.rpm
rh-ruby23-rubygem-did_you_mean-1.0.0-67.el7.x86_64.rpm
rh-ruby23-rubygem-io-console-0.4.5-67.el7.x86_64.rpm
rh-ruby23-rubygem-json-1.8.3.1-67.el7.x86_64.rpm
rh-ruby23-rubygem-net-telnet-0.1.1-67.el7.x86_64.rpm
rh-ruby23-rubygem-psych-2.1.0.1-67.el7.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3):
Source:
rh-ruby23-ruby-2.3.6-67.el7.src.rpm
noarch:
rh-ruby23-ruby-doc-2.3.6-67.el7.noarch.rpm
rh-ruby23-ruby-irb-2.3.6-67.el7.noarch.rpm
rh-ruby23-rubygem-minitest-5.8.5-67.el7.noarch.rpm
rh-ruby23-rubygem-power_assert-0.2.6-67.el7.noarch.rpm
rh-ruby23-rubygem-rake-10.4.2-67.el7.noarch.rpm
rh-ruby23-rubygem-rdoc-4.2.1-67.el7.noarch.rpm
rh-ruby23-rubygem-test-unit-3.1.5-67.el7.noarch.rpm
rh-ruby23-rubygems-2.5.2.2-67.el7.noarch.rpm
rh-ruby23-rubygems-devel-2.5.2.2-67.el7.noarch.rpm
x86_64:
rh-ruby23-ruby-2.3.6-67.el7.x86_64.rpm
rh-ruby23-ruby-debuginfo-2.3.6-67.el7.x86_64.rpm
rh-ruby23-ruby-devel-2.3.6-67.el7.x86_64.rpm
rh-ruby23-ruby-libs-2.3.6-67.el7.x86_64.rpm
rh-ruby23-ruby-tcltk-2.3.6-67.el7.x86_64.rpm
rh-ruby23-rubygem-bigdecimal-1.2.8-67.el7.x86_64.rpm
rh-ruby23-rubygem-did_you_mean-1.0.0-67.el7.x86_64.rpm
rh-ruby23-rubygem-io-console-0.4.5-67.el7.x86_64.rpm
rh-ruby23-rubygem-json-1.8.3.1-67.el7.x86_64.rpm
rh-ruby23-rubygem-net-telnet-0.1.1-67.el7.x86_64.rpm
rh-ruby23-rubygem-psych-2.1.0.1-67.el7.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4):
Source:
rh-ruby23-ruby-2.3.6-67.el7.src.rpm
noarch:
rh-ruby23-ruby-doc-2.3.6-67.el7.noarch.rpm
rh-ruby23-ruby-irb-2.3.6-67.el7.noarch.rpm
rh-ruby23-rubygem-minitest-5.8.5-67.el7.noarch.rpm
rh-ruby23-rubygem-power_assert-0.2.6-67.el7.noarch.rpm
rh-ruby23-rubygem-rake-10.4.2-67.el7.noarch.rpm
rh-ruby23-rubygem-rdoc-4.2.1-67.el7.noarch.rpm
rh-ruby23-rubygem-test-unit-3.1.5-67.el7.noarch.rpm
rh-ruby23-rubygems-2.5.2.2-67.el7.noarch.rpm
rh-ruby23-rubygems-devel-2.5.2.2-67.el7.noarch.rpm
x86_64:
rh-ruby23-ruby-2.3.6-67.el7.x86_64.rpm
rh-ruby23-ruby-debuginfo-2.3.6-67.el7.x86_64.rpm
rh-ruby23-ruby-devel-2.3.6-67.el7.x86_64.rpm
rh-ruby23-ruby-libs-2.3.6-67.el7.x86_64.rpm
rh-ruby23-ruby-tcltk-2.3.6-67.el7.x86_64.rpm
rh-ruby23-rubygem-bigdecimal-1.2.8-67.el7.x86_64.rpm
rh-ruby23-rubygem-did_you_mean-1.0.0-67.el7.x86_64.rpm
rh-ruby23-rubygem-io-console-0.4.5-67.el7.x86_64.rpm
rh-ruby23-rubygem-json-1.8.3.1-67.el7.x86_64.rpm
rh-ruby23-rubygem-net-telnet-0.1.1-67.el7.x86_64.rpm
rh-ruby23-rubygem-psych-2.1.0.1-67.el7.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):
Source:
rh-ruby23-ruby-2.3.6-67.el7.src.rpm
noarch:
rh-ruby23-ruby-doc-2.3.6-67.el7.noarch.rpm
rh-ruby23-ruby-irb-2.3.6-67.el7.noarch.rpm
rh-ruby23-rubygem-minitest-5.8.5-67.el7.noarch.rpm
rh-ruby23-rubygem-power_assert-0.2.6-67.el7.noarch.rpm
rh-ruby23-rubygem-rake-10.4.2-67.el7.noarch.rpm
rh-ruby23-rubygem-rdoc-4.2.1-67.el7.noarch.rpm
rh-ruby23-rubygem-test-unit-3.1.5-67.el7.noarch.rpm
rh-ruby23-rubygems-2.5.2.2-67.el7.noarch.rpm
rh-ruby23-rubygems-devel-2.5.2.2-67.el7.noarch.rpm
x86_64:
rh-ruby23-ruby-2.3.6-67.el7.x86_64.rpm
rh-ruby23-ruby-debuginfo-2.3.6-67.el7.x86_64.rpm
rh-ruby23-ruby-devel-2.3.6-67.el7.x86_64.rpm
rh-ruby23-ruby-libs-2.3.6-67.el7.x86_64.rpm
rh-ruby23-ruby-tcltk-2.3.6-67.el7.x86_64.rpm
rh-ruby23-rubygem-bigdecimal-1.2.8-67.el7.x86_64.rpm
rh-ruby23-rubygem-did_you_mean-1.0.0-67.el7.x86_64.rpm
rh-ruby23-rubygem-io-console-0.4.5-67.el7.x86_64.rpm
rh-ruby23-rubygem-json-1.8.3.1-67.el7.x86_64.rpm
rh-ruby23-rubygem-net-telnet-0.1.1-67.el7.x86_64.rpm
rh-ruby23-rubygem-psych-2.1.0.1-67.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2017-0898
https://access.redhat.com/security/cve/CVE-2017-0899
https://access.redhat.com/security/cve/CVE-2017-0900
https://access.redhat.com/security/cve/CVE-2017-0901
https://access.redhat.com/security/cve/CVE-2017-0902
https://access.redhat.com/security/cve/CVE-2017-0903
https://access.redhat.com/security/cve/CVE-2017-10784
https://access.redhat.com/security/cve/CVE-2017-14033
https://access.redhat.com/security/cve/CVE-2017-14064
https://access.redhat.com/security/cve/CVE-2017-17405
https://access.redhat.com/security/cve/CVE-2017-17790
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2018 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFauMlbXlSAg2UNWIIRAm5nAJ0eb6LhztJ7AP9/kU7vSMsoXg0EhwCfRmFg
bMdiP7NH/D0PVEX2sN6DcWw=u0rr
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
This email address is being protected from spambots. You need JavaScript enabled to view it.
PREVIOUS
NEXT
Red Hat: RHSA-2018-0585-01 Important: Ruby Command Injection Risk Moderate
red hat
March 26, 2018
An update for rh-ruby23-ruby is now available for Red Hat Software Collections
Solution
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
Summary
Ruby is an extensible, interpreted, object-oriented, scripting language. It
has features to process text files and to perform system management tasks.
The following packages have been upgraded to a later upstream version:
rh-ruby23-ruby (2.3.6), rh-ruby23-rubygems (2.5.2.2),
rh-ruby23-rubygem-json (1.8.3.1), rh-ruby23-rubygem-minitest (5.8.5),
rh-ruby23-rubygem-psych (2.1.0.1). (BZ#1549649)
Security Fix(es):
* ruby: Command injection vulnerability in Net::FTP (CVE-2017-17405)
* ruby: Buffer underrun vulnerability in Kernel.sprintf (CVE-2017-0898)
* rubygems: Arbitrary file overwrite due to incorrect validation of
specification name (CVE-2017-0901)
* rubygems: DNS hijacking vulnerability (CVE-2017-0902)
* rubygems: Unsafe object deserialization through YAML formatted gem
specifications (CVE-2017-0903)
* ruby: Escape sequence injection vulnerability in the Basic authentication
of WEBrick (CVE-2017-10784)
* ruby: Buffer underrun in OpenSSL ASN1 decode (CVE-2017-14033)
* rubygems: Escape sequence in the "summary" field of gemspec
(CVE-2017-0899)
* rubygems: No size limit in summary length of gem spec (CVE-2017-0900)
* ruby: Arbitrary heap exposure during a JSON.generate call
(CVE-2017-14064)
* ruby: Command injection in lib/resolv.rb:lazy_initialize() allows
arbitrary code execution (CVE-2017-17790)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
Topics Covered
References
https://access.redhat.com/security/cve/CVE-2017-0898 https://access.redhat.com/security/cve/CVE-2017-0899 https://access.redhat.com/security/cve/CVE-2017-0900 https://access.redhat.com/security/cve/CVE-2017-0901 https://access.redhat.com/security/cve/CVE-2017-0902 https://access.redhat.com/security/cve/CVE-2017-0903 https://access.redhat.com/security/cve/CVE-2017-10784 https://access.redhat.com/security/cve/CVE-2017-14033 https://access.redhat.com/security/cve/CVE-2017-14064 https://access.redhat.com/security/cve/CVE-2017-17405 https://access.redhat.com/security/cve/CVE-2017-17790 https://access.redhat.com/security/updates/classification/#important
Package List
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6):
Source:
rh-ruby23-ruby-2.3.6-67.el6.src.rpm
noarch:
rh-ruby23-ruby-doc-2.3.6-67.el6.noarch.rpm
rh-ruby23-ruby-irb-2.3.6-67.el6.noarch.rpm
rh-ruby23-rubygem-minitest-5.8.5-67.el6.noarch.rpm
rh-ruby23-rubygem-power_assert-0.2.6-67.el6.noarch.rpm
rh-ruby23-rubygem-rake-10.4.2-67.el6.noarch.rpm
rh-ruby23-rubygem-rdoc-4.2.1-67.el6.noarch.rpm
rh-ruby23-rubygem-test-unit-3.1.5-67.el6.noarch.rpm
rh-ruby23-rubygems-2.5.2.2-67.el6.noarch.rpm
rh-ruby23-rubygems-devel-2.5.2.2-67.el6.noarch.rpm
x86_64:
rh-ruby23-ruby-2.3.6-67.el6.x86_64.rpm
rh-ruby23-ruby-debuginfo-2.3.6-67.el6.x86_64.rpm
rh-ruby23-ruby-devel-2.3.6-67.el6.x86_64.rpm
rh-ruby23-ruby-libs-2.3.6-67.el6.x86_64.rpm
rh-ruby23-ruby-tcltk-2.3.6-67.el6.x86_64.rpm
rh-ruby23-rubygem-bigdecimal-1.2.8-67.el6.x86_64.rpm
rh-ruby23-rubygem-did_you_mean-1.0.0-67.el6.x86_64.rpm
rh-ruby23-rubygem-io-console-0.4.5-67.el6.x86_64.rpm
rh-ruby23-rubygem-json-1.8.3.1-67.el6.x86_64.rpm
rh-ruby23-rubygem-net-telnet-0.1.1-67.el6.x86_64.rpm
rh-ruby23-rubygem-psych-2.1.0.1-67.el6.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7):
Source:
rh-ruby23-ruby-2.3.6-67.el6.src.rpm
noarch:
rh-ruby23-ruby-doc-2.3.6-67.el6.noarch.rpm
Read the Full Advisory
Severity
important
Lowest
Low
Medium
High
Critical
Advisory ID: RHSA-2018:0585-01
Product: Red Hat Software Collections
Advisory URL: https://access.redhat.com/errata/RHSA-2018:0585
Issue date: 2018-03-26
Topic
An update for rh-ruby23-ruby is now available for Red Hat SoftwareCollections.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.
Topics Covered
Relevant Releases Architectures
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64
Bugs Fixed
1487552 - CVE-2017-14064 ruby: Arbitrary heap exposure during a JSON.generate call
1487587 - CVE-2017-0901 rubygems: Arbitrary file overwrite due to incorrect validation of specification name
1487588 - CVE-2017-0900 rubygems: No size limit in summary length of gem spec
1487589 - CVE-2017-0902 rubygems: DNS hijacking vulnerability
1487590 - CVE-2017-0899 rubygems: Escape sequence in the "summary" field of gemspec
1491866 - CVE-2017-14033 ruby: Buffer underrun in OpenSSL ASN1 decode
1492012 - CVE-2017-10784 ruby: Escape sequence injection vulnerability in the Basic authentication of WEBrick
1492015 - CVE-2017-0898 ruby: Buffer underrun vulnerability in Kernel.sprintf
1500488 - CVE-2017-0903 rubygems: Unsafe object deserialization through YAML formatted gem specifications
1526189 - CVE-2017-17405 ruby: Command injection vulnerability in Net::FTP
1528218 - CVE-2017-17790 ruby: Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code execution
1549649 - Rebase to the latest Ruby 2.3 point release
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!