Lucene search

K
debianDebianDEBIAN:DLA-1735-1:A1848
HistoryMar 29, 2019 - 8:53 a.m.

[SECURITY] [DLA 1735-1] ruby2.1 security update

2019-03-2908:53:04
lists.debian.org
87
ruby2.1
security update
vulnerability
rubygems
debian 8

CVSS2

8.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

9.3

Confidence

High

EPSS

0.006

Percentile

79.0%

Package : ruby2.1
Version : 2.1.5-2+deb8u7
CVE ID : CVE-2019-8320 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324
CVE-2019-8325

Several vulnerabilities have been discovered in rubygems embedded in
ruby2.1, the interpreted scripting language.

CVE-2019-8320

A Directory Traversal issue was discovered in RubyGems. Before
making new directories or touching files (which now include
path-checking code for symlinks), it would delete the target
destination.

CVE-2019-8322

The gem owner command outputs the contents of the API response
directly to stdout. Therefore, if the response is crafted, escape
sequence injection may occur.

CVE-2019-8323

Gem::GemcutterUtilities#with_response may output the API response to
stdout as it is. Therefore, if the API side modifies the response,
escape sequence injection may occur.

CVE-2019-8324

A crafted gem with a multi-line name is not handled correctly.
Therefore, an attacker could inject arbitrary code to the stub line
of gemspec, which is eval-ed by code in ensure_loadable_spec during
the preinstall check.

CVE-2019-8325

An issue was discovered in RubyGems 2.6 and later through 3.0.2.
Since Gem::CommandManager#run calls alert_error without escaping,
escape sequence injection is possible. (There are many ways to cause
an error.)

For Debian 8 "Jessie", these problems have been fixed in version
2.1.5-2+deb8u7.

We recommend that you upgrade your ruby2.1 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

CVSS2

8.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

9.3

Confidence

High

EPSS

0.006

Percentile

79.0%