Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -6 articles for you...
172
security advisorybuffer overflowcode executionUbuntu: 3685-1 Critical: Ruby Exploits and Risk Resolutions
Several security issues were fixed in Ruby.. =========================================================================Ubuntu Security Notice USN-3685-1 June 13, 2018 ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 17.10 - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Several security issues were fixed in Ruby. Software Description: - ruby2.3: Object-oriented scripting language - ruby1.9.1: Object-oriented scripting language - ruby2.0: Object-oriented scripting language Details: Some of these CVE were already addressed in previous USN: 3439-1, 3553-1, 3528-1. Here we address for the remain releases. It was discovered that Ruby incorrectly handled certain inputs. An attacker could use this to cause a buffer overrun. (CVE-2017-0898) It was discovered that Ruby incorrectly handled certain files. An attacker could use this to overwrite any file on the filesystem. (CVE-2017-0901) It was discovered that Ruby was vulnerable to a DNS hijacking vulnerability. An attacker could use this to possibly force the RubyGems client to download and install gems from a server that the attacker controls. (CVE-2017-0902) It was discovered that Ruby incorrectly handled certain YAML files. An attacker could use this to possibly execute arbitrary code. (CVE-2017-0903) It was discovered that Ruby incorrectly handled certain files. An attacker could use this to expose sensitive information. (CVE-2017-14064) It was discovered that Ruby incorrectly handled certain inputs. An attacker could use this to execute arbitrary code. (CVE-2017-10784) It was discovered that Ruby incorrectly handled certain network requests. An attacker could possibly use this to inject a crafted key into a HTTP response. (CVE-2017-17742) It was discovered that Ruby incorrectly handled certain files. An attacker could possibly use this to executearbitrary code. This update is only addressed to ruby2.0. (CVE-2018-1000074) It was discovered that Ruby incorrectly handled certain network requests. An attacker could possibly use this to cause a denial of service. (CVE-2018-8777) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 17.10: libruby2.3 2.3.3-1ubuntu1.6 ruby2.3 2.3.3-1ubuntu1.6 Ubuntu 16.04 LTS: libruby2.3 2.3.1-2~16.04.10 ruby2.3 2.3.1-2~16.04.10 Ubuntu 14.04 LTS: libruby1.9.1 1.9.3.484-2ubuntu1.12 libruby2.0 2.0.0.484-1ubuntu2.10 ruby1.9.1 1.9.3.484-2ubuntu1.12 ruby1.9.3 1.9.3.484-2ubuntu1.12 ruby2.0 2.0.0.484-1ubuntu2.10 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-3685-1 CVE-2017-0898, CVE-2017-0901, CVE-2017-0902, CVE-2017-0903, CVE-2017-10784, CVE-2017-14064, CVE-2017-17742, CVE-2018-1000074, CVE-2018-8777 Package Information: https://launchpad.net/ubuntu/+source/ruby2.3/2.3.3-1ubuntu1.6 https://launchpad.net/ubuntu/+source/ruby2.3/2.3.1-2~16.04.10 https://launchpad.net/ubuntu/+source/ruby1.9.1/1.9.3.484-2ubuntu1.12 https://launchpad.net/ubuntu/+source/ruby2.0/2.0.0.484-1ubuntu2.10 . Ubuntu releases have bolstered Ruby security by addressing various vulnerabilities, safeguarding users against possible threats.. Ubuntu Security Updates, Ruby Exploits, Code Execution Risks, Buffer Overflow Issues. . Severity: Critical. LinuxSecurity.com Team
Jun 14, 2018
•Critical
Ubuntu
98
security advisoryred hatsecurity fixRed Hat Software Collections: RHSA-2015:1657-01 Important: DNS Hijacking
Updated rh-ruby22-ruby packages that fix one security issue are now available for Red Hat Software Collections 2. Red Hat Product Security has rated this update as having Important security [More...]. ==================================================================== Red Hat Security Advisory Synopsis: Important: rh-ruby22-ruby security update Advisory ID: RHSA-2015:1657-01 Product: Red Hat Software Collections Advisory URL: https://access.redhat.com/errata/RHSA-2015:1657.html Issue date: 2015-08-24 CVE Names: CVE-2015-3900 ==================================================================== 1. Summary: Updated rh-ruby22-ruby packages that fix one security issue are now available for Red Hat Software Collections 2. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.5) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 3. Description: Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. A flaw was found in a way rubygems verified the API endpoint hostname retrieved through a DNS SRV record. A man-in-the-middle attacker could use thisflaw to force a client to download content from an untrusted domain. (CVE-2015-3900) All rh-ruby22-ruby users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running instances of Ruby need to be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1236116 - CVE-2015-3900 rubygems: DNS hijacking vulnerability in api_endpoint() 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6): Source: rh-ruby22-ruby-2.2.2-12.el6.src.rpm noarch: rh-ruby22-ruby-doc-2.2.2-12.el6.noarch.rpm rh-ruby22-ruby-irb-2.2.2-12.el6.noarch.rpm rh-ruby22-rubygem-minitest-5.4.3-12.el6.noarch.rpm rh-ruby22-rubygem-power_assert-0.2.2-12.el6.noarch.rpm rh-ruby22-rubygem-rake-10.4.2-12.el6.noarch.rpm rh-ruby22-rubygem-rdoc-4.2.0-12.el6.noarch.rpm rh-ruby22-rubygem-test-unit-3.0.8-12.el6.noarch.rpm rh-ruby22-rubygems-devel-2.4.5-12.el6.noarch.rpm x86_64: rh-ruby22-ruby-2.2.2-12.el6.x86_64.rpm rh-ruby22-ruby-debuginfo-2.2.2-12.el6.x86_64.rpm rh-ruby22-ruby-devel-2.2.2-12.el6.x86_64.rpm rh-ruby22-ruby-libs-2.2.2-12.el6.x86_64.rpm rh-ruby22-ruby-tcltk-2.2.2-12.el6.x86_64.rpm rh-ruby22-rubygem-bigdecimal-1.2.6-12.el6.x86_64.rpm rh-ruby22-rubygem-io-console-0.4.3-12.el6.x86_64.rpm rh-ruby22-rubygem-json-1.8.1-12.el6.x86_64.rpm rh-ruby22-rubygem-psych-2.0.8-12.el6.x86_64.rpm rh-ruby22-rubygems-2.4.5-12.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v.6.5): Source: rh-ruby22-ruby-2.2.2-12.el6.src.rpm noarch: rh-ruby22-ruby-doc-2.2.2-12.el6.noarch.rpm rh-ruby22-ruby-irb-2.2.2-12.el6.noarch.rpm rh-ruby22-rubygem-minitest-5.4.3-12.el6.noarch.rpm rh-ruby22-rubygem-power_assert-0.2.2-12.el6.noarch.rpm rh-ruby22-rubygem-rake-10.4.2-12.el6.noarch.rpm rh-ruby22-rubygem-rdoc-4.2.0-12.el6.noarch.rpm rh-ruby22-rubygem-test-unit-3.0.8-12.el6.noarch.rpm rh-ruby22-rubygems-devel-2.4.5-12.el6.noarch.rpm x86_64: rh-ruby22-ruby-2.2.2-12.el6.x86_64.rpm rh-ruby22-ruby-debuginfo-2.2.2-12.el6.x86_64.rpm rh-ruby22-ruby-devel-2.2.2-12.el6.x86_64.rpm rh-ruby22-ruby-libs-2.2.2-12.el6.x86_64.rpm rh-ruby22-ruby-tcltk-2.2.2-12.el6.x86_64.rpm rh-ruby22-rubygem-bigdecimal-1.2.6-12.el6.x86_64.rpm rh-ruby22-rubygem-io-console-0.4.3-12.el6.x86_64.rpm rh-ruby22-rubygem-json-1.8.1-12.el6.x86_64.rpm rh-ruby22-rubygem-psych-2.0.8-12.el6.x86_64.rpm rh-ruby22-rubygems-2.4.5-12.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6): Source: rh-ruby22-ruby-2.2.2-12.el6.src.rpm noarch: rh-ruby22-ruby-doc-2.2.2-12.el6.noarch.rpm rh-ruby22-ruby-irb-2.2.2-12.el6.noarch.rpm rh-ruby22-rubygem-minitest-5.4.3-12.el6.noarch.rpm rh-ruby22-rubygem-power_assert-0.2.2-12.el6.noarch.rpm rh-ruby22-rubygem-rake-10.4.2-12.el6.noarch.rpm rh-ruby22-rubygem-rdoc-4.2.0-12.el6.noarch.rpm rh-ruby22-rubygem-test-unit-3.0.8-12.el6.noarch.rpm rh-ruby22-rubygems-devel-2.4.5-12.el6.noarch.rpm x86_64: rh-ruby22-ruby-2.2.2-12.el6.x86_64.rpm rh-ruby22-ruby-debuginfo-2.2.2-12.el6.x86_64.rpm rh-ruby22-ruby-devel-2.2.2-12.el6.x86_64.rpm rh-ruby22-ruby-libs-2.2.2-12.el6.x86_64.rpm rh-ruby22-ruby-tcltk-2.2.2-12.el6.x86_64.rpm rh-ruby22-rubygem-bigdecimal-1.2.6-12.el6.x86_64.rpm rh-ruby22-rubygem-io-console-0.4.3-12.el6.x86_64.rpm rh-ruby22-rubygem-json-1.8.1-12.el6.x86_64.rpm rh-ruby22-rubygem-psych-2.0.8-12.el6.x86_64.rpm rh-ruby22-rubygems-2.4.5-12.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v.6): Source: rh-ruby22-ruby-2.2.2-12.el6.src.rpm noarch: rh-ruby22-ruby-doc-2.2.2-12.el6.noarch.rpm rh-ruby22-ruby-irb-2.2.2-12.el6.noarch.rpm rh-ruby22-rubygem-minitest-5.4.3-12.el6.noarch.rpm rh-ruby22-rubygem-power_assert-0.2.2-12.el6.noarch.rpm rh-ruby22-rubygem-rake-10.4.2-12.el6.noarch.rpm rh-ruby22-rubygem-rdoc-4.2.0-12.el6.noarch.rpm rh-ruby22-rubygem-test-unit-3.0.8-12.el6.noarch.rpm rh-ruby22-rubygems-devel-2.4.5-12.el6.noarch.rpm x86_64: rh-ruby22-ruby-2.2.2-12.el6.x86_64.rpm rh-ruby22-ruby-debuginfo-2.2.2-12.el6.x86_64.rpm rh-ruby22-ruby-devel-2.2.2-12.el6.x86_64.rpm rh-ruby22-ruby-libs-2.2.2-12.el6.x86_64.rpm rh-ruby22-ruby-tcltk-2.2.2-12.el6.x86_64.rpm rh-ruby22-rubygem-bigdecimal-1.2.6-12.el6.x86_64.rpm rh-ruby22-rubygem-io-console-0.4.3-12.el6.x86_64.rpm rh-ruby22-rubygem-json-1.8.1-12.el6.x86_64.rpm rh-ruby22-rubygem-psych-2.0.8-12.el6.x86_64.rpm rh-ruby22-rubygems-2.4.5-12.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-ruby22-ruby-2.2.2-12.el7.src.rpm noarch: rh-ruby22-ruby-doc-2.2.2-12.el7.noarch.rpm rh-ruby22-ruby-irb-2.2.2-12.el7.noarch.rpm rh-ruby22-rubygem-minitest-5.4.3-12.el7.noarch.rpm rh-ruby22-rubygem-power_assert-0.2.2-12.el7.noarch.rpm rh-ruby22-rubygem-rake-10.4.2-12.el7.noarch.rpm rh-ruby22-rubygem-rdoc-4.2.0-12.el7.noarch.rpm rh-ruby22-rubygem-test-unit-3.0.8-12.el7.noarch.rpm rh-ruby22-rubygems-devel-2.4.5-12.el7.noarch.rpm x86_64: rh-ruby22-ruby-2.2.2-12.el7.x86_64.rpm rh-ruby22-ruby-debuginfo-2.2.2-12.el7.x86_64.rpm rh-ruby22-ruby-devel-2.2.2-12.el7.x86_64.rpm rh-ruby22-ruby-libs-2.2.2-12.el7.x86_64.rpm rh-ruby22-ruby-tcltk-2.2.2-12.el7.x86_64.rpm rh-ruby22-rubygem-bigdecimal-1.2.6-12.el7.x86_64.rpm rh-ruby22-rubygem-io-console-0.4.3-12.el7.x86_64.rpm rh-ruby22-rubygem-json-1.8.1-12.el7.x86_64.rpm rh-ruby22-rubygem-psych-2.0.8-12.el7.x86_64.rpm rh-ruby22-rubygems-2.4.5-12.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v.7.1): Source: rh-ruby22-ruby-2.2.2-12.el7.src.rpm noarch: rh-ruby22-ruby-doc-2.2.2-12.el7.noarch.rpm rh-ruby22-ruby-irb-2.2.2-12.el7.noarch.rpm rh-ruby22-rubygem-minitest-5.4.3-12.el7.noarch.rpm rh-ruby22-rubygem-power_assert-0.2.2-12.el7.noarch.rpm rh-ruby22-rubygem-rake-10.4.2-12.el7.noarch.rpm rh-ruby22-rubygem-rdoc-4.2.0-12.el7.noarch.rpm rh-ruby22-rubygem-test-unit-3.0.8-12.el7.noarch.rpm rh-ruby22-rubygems-devel-2.4.5-12.el7.noarch.rpm x86_64: rh-ruby22-ruby-2.2.2-12.el7.x86_64.rpm rh-ruby22-ruby-debuginfo-2.2.2-12.el7.x86_64.rpm rh-ruby22-ruby-devel-2.2.2-12.el7.x86_64.rpm rh-ruby22-ruby-libs-2.2.2-12.el7.x86_64.rpm rh-ruby22-ruby-tcltk-2.2.2-12.el7.x86_64.rpm rh-ruby22-rubygem-bigdecimal-1.2.6-12.el7.x86_64.rpm rh-ruby22-rubygem-io-console-0.4.3-12.el7.x86_64.rpm rh-ruby22-rubygem-json-1.8.1-12.el7.x86_64.rpm rh-ruby22-rubygem-psych-2.0.8-12.el7.x86_64.rpm rh-ruby22-rubygems-2.4.5-12.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: rh-ruby22-ruby-2.2.2-12.el7.src.rpm noarch: rh-ruby22-ruby-doc-2.2.2-12.el7.noarch.rpm rh-ruby22-ruby-irb-2.2.2-12.el7.noarch.rpm rh-ruby22-rubygem-minitest-5.4.3-12.el7.noarch.rpm rh-ruby22-rubygem-power_assert-0.2.2-12.el7.noarch.rpm rh-ruby22-rubygem-rake-10.4.2-12.el7.noarch.rpm rh-ruby22-rubygem-rdoc-4.2.0-12.el7.noarch.rpm rh-ruby22-rubygem-test-unit-3.0.8-12.el7.noarch.rpm rh-ruby22-rubygems-devel-2.4.5-12.el7.noarch.rpm x86_64: rh-ruby22-ruby-2.2.2-12.el7.x86_64.rpm rh-ruby22-ruby-debuginfo-2.2.2-12.el7.x86_64.rpm rh-ruby22-ruby-devel-2.2.2-12.el7.x86_64.rpm rh-ruby22-ruby-libs-2.2.2-12.el7.x86_64.rpm rh-ruby22-ruby-tcltk-2.2.2-12.el7.x86_64.rpm rh-ruby22-rubygem-bigdecimal-1.2.6-12.el7.x86_64.rpm rh-ruby22-rubygem-io-console-0.4.3-12.el7.x86_64.rpm rh-ruby22-rubygem-json-1.8.1-12.el7.x86_64.rpm rh-ruby22-rubygem-psych-2.0.8-12.el7.x86_64.rpm rh-ruby22-rubygems-2.4.5-12.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are availablefrom https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-3900 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. . Crucial notice regarding rh-ruby22-ruby software addressing DNS manipulation vulnerability. Update is advised for Red Hat clients.. Red Hat Software, Ruby Security, DNS Hijacking Fix, Software Collections. . Severity: Important. LinuxSecurity.com Team
Aug 24, 2015
•Important
Red Hat
89
security advisoryfedoracriticalFedora 22 FEDORA-2015-12574 Critical: RubyGems DNS Hijacking
Update to RubyGems 2.4.8.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2015-12574 2015-08-01 00:12:18 -------------------------------------------------------------------------------- Name : rubygems Product : Fedora 22 Version : 2.4.8 Release : 100.fc22 URL : https://rubygems.org/ Summary : The Ruby standard for packaging ruby libraries Description : RubyGems is the Ruby standard for publishing and managing third party libraries. -------------------------------------------------------------------------------- Update Information: Update to RubyGems 2.4.8. -------------------------------------------------------------------------------- ChangeLog: * Fri Jul 10 2015 VÃt Ondruch - 2.4.8-100 - Update to RubyGems 2.4.8. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1236116 - CVE-2015-3900 rubygems: DNS hijacking vulnerability in api_endpoint() https://bugzilla.redhat.com/show_bug.cgi?id=1236116 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update rubygems' at the command line. For more information, refer to "Managing Software with yum", available at . All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list
Aug 11, 2015
•Critical
Fedora
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!