Lucene search

DebianDEBIAN:DSA-3801-1:C1B44

HistoryMar 04, 2017 - 1:59 p.m.

[SECURITY] [DSA 3801-1] ruby-zip security update

2017-03-0413:59:24

lists.debian.org

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

74.5%

JSON

Debian Security Advisory DSA-3801-1 [email protected]
https://www.debian.org/security/ Salvatore Bonaccorso
March 04, 2017 https://www.debian.org/security/faq

Package : ruby-zip
CVE ID : CVE-2017-5946
Debian Bug : 856269

It was discovered that ruby-zip, a Ruby module for reading and writing
zip files, is prone to a directory traversal vulnerability. An attacker
can take advantage of this flaw to overwrite arbitrary files during
archive extraction via a … (dot dot) in an extracted filename.

For the stable distribution (jessie), this problem has been fixed in
version 1.1.6-1+deb8u1.

For the upcoming stable distribution (stretch), this problem has been
fixed in version 1.2.0-1.1.

For the unstable distribution (sid), this problem has been fixed in
version 1.2.0-1.1.

We recommend that you upgrade your ruby-zip packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian8ppc64elruby-zip< 1.1.6-1+deb8u1ruby-zip_1.1.6-1+deb8u1_ppc64el.deb
Debian8allruby-zip< 1.1.6-1+deb8u1ruby-zip_1.1.6-1+deb8u1_all.deb
Debian7alllibzip-ruby< 0.9.4-1+deb7u1libzip-ruby_0.9.4-1+deb7u1_all.deb
Debian8armelruby-zip< 1.1.6-1+deb8u1ruby-zip_1.1.6-1+deb8u1_armel.deb
Debian8s390xruby-zip< 1.1.6-1+deb8u1ruby-zip_1.1.6-1+deb8u1_s390x.deb
Debian7alllibzip-ruby1.9.1< 0.9.4-1+deb7u1libzip-ruby1.9.1_0.9.4-1+deb7u1_all.deb
Debian8i386ruby-zip< 1.1.6-1+deb8u1ruby-zip_1.1.6-1+deb8u1_i386.deb
Debian8mipselruby-zip< 1.1.6-1+deb8u1ruby-zip_1.1.6-1+deb8u1_mipsel.deb
Debian8amd64ruby-zip< 1.1.6-1+deb8u1ruby-zip_1.1.6-1+deb8u1_amd64.deb
Debian8armhfruby-zip< 1.1.6-1+deb8u1ruby-zip_1.1.6-1+deb8u1_armhf.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	ppc64el	ruby-zip	< 1.1.6-1+deb8u1	ruby-zip_1.1.6-1+deb8u1_ppc64el.deb
Debian	8	all	ruby-zip	< 1.1.6-1+deb8u1	ruby-zip_1.1.6-1+deb8u1_all.deb
Debian	7	all	libzip-ruby	< 0.9.4-1+deb7u1	libzip-ruby_0.9.4-1+deb7u1_all.deb
Debian	8	armel	ruby-zip	< 1.1.6-1+deb8u1	ruby-zip_1.1.6-1+deb8u1_armel.deb
Debian	8	s390x	ruby-zip	< 1.1.6-1+deb8u1	ruby-zip_1.1.6-1+deb8u1_s390x.deb
Debian	7	all	libzip-ruby1.9.1	< 0.9.4-1+deb7u1	libzip-ruby1.9.1_0.9.4-1+deb7u1_all.deb
Debian	8	i386	ruby-zip	< 1.1.6-1+deb8u1	ruby-zip_1.1.6-1+deb8u1_i386.deb
Debian	8	mipsel	ruby-zip	< 1.1.6-1+deb8u1	ruby-zip_1.1.6-1+deb8u1_mipsel.deb
Debian	8	amd64	ruby-zip	< 1.1.6-1+deb8u1	ruby-zip_1.1.6-1+deb8u1_amd64.deb
Debian	8	armhf	ruby-zip	< 1.1.6-1+deb8u1	ruby-zip_1.1.6-1+deb8u1_armhf.deb