ELSA-2018-0378

ELSA-2018-0378 - ruby security update

Type:SECURITY
Severity:IMPORTANT
Release Date:2018-02-28

Description


[2.0.0.648-33]
- Fix always passing WEBrick test.

[2.0.0.648-32]
- Add Psych.safe_load
* ruby-2.1.0-there-should-be-only-one-exception.patch
* ruby-2.1.0-Adding-Psych.safe_load.patch
Related: CVE-2017-0903
- Disable Tokyo TZ tests broken by recen tzdata update.
* ruby-2.5.0-Disable-Tokyo-TZ-tests.patch
Related: CVE-2017-0903

[2.0.0.648-31]
- Fix unsafe object deserialization in RubyGems (CVE-2017-0903).
* ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization
-vulnerability.patch
Resolves: CVE-2017-0903
- Fix an ANSI escape sequence vulnerability (CVE-2017-0899).
Resolves: CVE-2017-0899
- Fix a DOS vulernerability in the query command (CVE-2017-0900).
Resolves: CVE-2017-0900
- Fix a vulnerability in the gem installer that allowed a malicious gem
to overwrite arbitrary files (CVE-2017-0901).
Resolves: CVE-2017-0901
- Fix a DNS request hijacking vulnerability (CVE-2017-0902).
* ruby-2.2.8-lib-rubygems-fix-several-vulnerabilities-in-RubyGems.patch
Resolves: CVE-2017-0902
- Fix buffer underrun vulnerability in Kernel.sprintf (CVE-2017-0898).
* ruby-2.2.8-Buffer-underrun-vulnerability-in-Kernel.sprintf.patch
Resolves: CVE-2017-0898
- Escape sequence injection vulnerability in the Basic
authentication of WEBrick (CVE-2017-10784).
* ruby-2.2.8-sanitize-any-type-of-logs.patch
Resolves: CVE-2017-10784
- Arbitrary heap exposure during a JSON.generate call (CVE-2017-14064).
* ruby-2.2.8-Fix-arbitrary-heap-exposure-during-a-JSON.generate-call.patch
Resolves: CVE-2017-14064
- Command injection vulnerability in Net::FTP (CVE-2017-17405).
* ruby-2.2.9-Fix-a-command-injection-vulnerability-in-Net-FTP.patch
Resolves: CVE-2017-17405
- Buffer underrun in OpenSSL ASN1 decode (CVE-2017-14033).
* ruby-2.2.8-asn1-fix-out-of-bounds-read-in-decoding-constructed-objects.patch
Resolves: CVE-2017-14033
- Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code
execution(CVE-2017-17790).
* ruby-2.5.0-Fixed-command-Injection.patch
Resolves: CVE-2017-17790


Related CVEs


CVE-2017-0898
CVE-2017-0899
CVE-2017-10784
CVE-2017-0900
CVE-2017-0901
CVE-2017-0902
CVE-2017-0903
CVE-2017-14033
CVE-2017-14064
CVE-2017-17405
CVE-2017-17790

Updated Packages


Release/ArchitectureFilenameMD5sumSuperseded By Advisory
Oracle Linux 7 (x86_64) ruby-2.0.0.648-33.el7_4.src.rpm8cc20247aeb133bd850de167fb2fc3cb-
ruby-2.0.0.648-33.el7_4.x86_64.rpm7b7a2af7a553b67b36366de193b9a95c-
ruby-devel-2.0.0.648-33.el7_4.x86_64.rpm28a5b022c2ca83105f6a080408d8b985-
ruby-doc-2.0.0.648-33.el7_4.noarch.rpm1948a42635124432fa998123e61b3fbe-
ruby-irb-2.0.0.648-33.el7_4.noarch.rpm2e802efd15fd922f4a52d1963c8a6e79-
ruby-libs-2.0.0.648-33.el7_4.i686.rpmf6c0ff210eaa463aaac6a3c6c9d68e74-
ruby-libs-2.0.0.648-33.el7_4.x86_64.rpm3c10718adbb57646f1e0f64d5a03471d-
ruby-tcltk-2.0.0.648-33.el7_4.x86_64.rpm403baa8ee989483d267fca0734bc7052-
rubygem-bigdecimal-1.2.0-33.el7_4.x86_64.rpm2e452ced615f3d12c15d1a10d7de3580-
rubygem-io-console-0.4.2-33.el7_4.x86_64.rpmbadea47ccd41deda0d3920dfc4eeecef-
rubygem-json-1.7.7-33.el7_4.x86_64.rpmdaf81b9c5f85cb7441191f37d0dc21f2-
rubygem-minitest-4.3.2-33.el7_4.noarch.rpmaa26ac8d2efde7bb477f8d851e485b5c-
rubygem-psych-2.0.0-33.el7_4.x86_64.rpm9404273dcd291cb3f79fc6e318818068-
rubygem-rake-0.9.6-33.el7_4.noarch.rpma2c624026ad3a6c562b3bab9ee6bb56b-
rubygem-rdoc-4.0.0-33.el7_4.noarch.rpm25342202e20d0c53a8ae2da77b829579-
rubygems-2.0.14.1-33.el7_4.noarch.rpm0b7278503dbbd43f4b8434f54e62ba10-
rubygems-devel-2.0.14.1-33.el7_4.noarch.rpm106946198b0ff2f81bde63bb1095d983-



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete