Gentoo FoundationMGASA-2017-0486

HistoryDec 31, 2017 - 6:51 p.m.

Updated ruby packages fix security vulnerabilities

2017-12-3118:51:06

Gentoo Foundation

advisories.mageia.org

0.895 High

EPSS

Percentile

98.7%

JSON

Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the “|” pipe character, the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution (CVE-2017-17405). The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3 uses Kernel#open, which might allow Command Injection attacks, as demonstrated by a Resolv::Hosts::new argument beginning with a ‘|’ character (CVE-2017-17790).

OSVersionArchitecturePackageVersionFilename
Mageia5noarchruby< 2.0.0.p648-1.6ruby-2.0.0.p648-1.6.mga5
Mageia6noarchruby< 2.2.8-1.1ruby-2.2.8-1.1.mga6

OS	Version	Architecture	Package	Version	Filename
Mageia	5	noarch	ruby	< 2.0.0.p648-1.6	ruby-2.0.0.p648-1.6.mga5
Mageia	6	noarch	ruby	< 2.2.8-1.1	ruby-2.2.8-1.1.mga6

References

bugs.mageia.org/show_bug.cgi?id=22203

www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/

openvas 19

osv 6

debian 4

prion 2

nessus 42

ubuntucve 2

redhat 5

cve 2

debiancve 2

cvelist 2

photon 8

seebug 1

freebsd 1

gentoo 1

exploitpack 1

veracode 2

checkpoint_advisories 1

redhatcve 2

hackerone 1

ubuntu 2

alpinelinux 1

zdt 1

slackware 1

exploitdb 1

rubygems 1

oraclelinux 1

centos 1

ibm 1

fedora 2

amazon 2

apple 4

openvas

Mageia: Security Advisory (MGASA-2017-0486)

2022-01-28 00:00:00

Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2018-1030)

2020-01-23 00:00:00

Debian: Security Advisory (DLA-1222-1)

2023-03-08 00:00:00

osv

ruby1.8 - security update

2017-12-24 00:00:00

ruby1.9.1 - security update

2017-12-24 00:00:00

CVE-2017-17790

2017-12-20 09:29:01

debian

[SECURITY] [DLA 1222-1] ruby1.8 security update

2017-12-25 14:56:43

[SECURITY] [DLA 1221-1] ruby1.9.1 security update

2017-12-25 14:56:59

[SECURITY] [DSA 4259-1] ruby2.3 security update

2018-07-31 21:40:52

prion

Command injection

2017-12-20 09:29:00

Command injection

2017-12-15 09:29:00

nessus

Debian DLA-1222-1 : ruby1.8 security update

2017-12-26 00:00:00

EulerOS 2.0 SP1 : ruby (EulerOS-SA-2018-1029)

2018-01-29 00:00:00

Debian DLA-1221-1 : ruby1.9.1 security update

2017-12-26 00:00:00

ubuntucve

CVE-2017-17790

2017-12-20 00:00:00

CVE-2017-17405

2017-12-15 00:00:00

redhat

(RHSA-2018:0584) Important: rh-ruby24-ruby security, bug fix, and enhancement update

2018-03-26 09:12:41

(RHSA-2019:2806) Important: ruby security update

2019-09-17 10:31:23

(RHSA-2018:0378) Important: ruby security update

2018-02-28 16:24:33

cve

CVE-2017-17790

2017-12-20 09:29:00

CVE-2017-17405

2017-12-15 09:29:00

debiancve

CVE-2017-17790

2017-12-20 09:29:00

CVE-2017-17405

2017-12-15 09:29:00

cvelist

CVE-2017-17790

2017-12-20 09:00:00

CVE-2017-17405

2017-12-15 09:00:00

photon

Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2018-1.0-0100

2018-01-18 00:00:00

Critical Photon OS Security Update - PHSA-2018-0100

2018-01-18 00:00:00

Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2018-2.0-0011-A

2018-01-11 00:00:00

seebug

Command injection vulnerability in Net::FTP(CVE-2017-17405)

2017-12-18 00:00:00

freebsd

ruby -- Command injection vulnerability in Net::FTP

2017-12-14 00:00:00

gentoo

Ruby: Command injection

2018-02-20 00:00:00

exploitpack

Ruby 2.2.8 2.3.5 2.4.2 2.5.0-preview1 - NET::Ftp Command Injection

2017-12-02 00:00:00

veracode

Command Injection

2019-05-16 02:49:49

Arbitrary Command Execution

2019-01-15 09:21:10

checkpoint_advisories

Ruby Net FTP Command Injection (CVE-2017-17405) - Ver2

2018-04-15 00:00:00

redhatcve

CVE-2017-17405

2017-12-14 21:50:01

CVE-2017-17790

2019-10-08 04:44:54

hackerone

Ruby: NET::Ftp allows command injection in filenames

2017-12-02 11:33:02

ubuntu

Ruby vulnerability

2018-01-04 00:00:00

Ruby vulnerabilities

2018-01-10 00:00:00

alpinelinux

CVE-2017-17405

2017-12-15 09:29:00

zdt

Ruby < 2.2.8 / < 2.3.5 / < 2.4.2 / < 2.5.0-preview1 - NET::Ftp Command Injection Exploit

2017-12-22 00:00:00

slackware

[slackware-security] ruby

2017-12-20 06:38:26

exploitdb

Ruby < 2.2.8 / < 2.3.5 / < 2.4.2 / < 2.5.0-preview1 - 'NET::Ftp' Command Injection

2017-12-02 00:00:00

rubygems

The lazy_initialize function in lib/resolv.rb in Ruby

2017-12-19 21:00:00

oraclelinux

ruby security update

2018-02-28 00:00:00

centos

ruby, rubygem, rubygems security update

2018-03-10 11:53:01

ibm

Security Bulletin: Vulnerabilities in Ruby affect PowerKVM

2018-06-18 01:42:18

fedora

[SECURITY] Fedora 26 Update: ruby-2.4.3-87.fc26

2018-03-11 20:00:06

[SECURITY] Fedora 27 Update: ruby-2.4.3-87.fc27

2018-03-02 16:26:05

amazon

Medium: ruby

2018-04-05 16:06:00

Medium: ruby20, ruby22, ruby23, ruby24

2018-04-04 23:18:00

apple

About the security content of macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan

2018-07-09 00:00:00

About the security content of macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan - Apple Support

2020-07-28 05:29:11

About the security content of macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update 2018-005 Sierra - Apple Support

2020-07-27 08:14:47

Solutions

Vulnerabilities intelligence
Perimeter control tool
Linux scanner
Windows scanner
Developers SDK
Security Intelligence feeds

Database

Vulnerabilities
Exploits
Security News
BugBounty
Wild Exploited
Top Vulnerabilities
CVE Feed

Resources

Statics & Sources
Plugins
API docs
FAQ
Blog
Glossary

Company

About
Contacts
Pricing
EULA
Privacy Policy
OpenSource

@2024 Vulners Inc