Lucene search

K
oraclelinuxOracleLinuxELSA-2018-0378
HistoryFeb 28, 2018 - 12:00 a.m.

ruby security update

2018-02-2800:00:00
linux.oracle.com
23

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.899 High

EPSS

Percentile

98.5%

[2.0.0.648-33]

  • Fix always passing WEBrick test.
    [2.0.0.648-32]
  • Add Psych.safe_load
    • ruby-2.1.0-there-should-be-only-one-exception.patch
    • ruby-2.1.0-Adding-Psych.safe_load.patch
      Related: CVE-2017-0903
  • Disable Tokyo TZ tests broken by recen tzdata update.
    • ruby-2.5.0-Disable-Tokyo-TZ-tests.patch
      Related: CVE-2017-0903
      [2.0.0.648-31]
  • Fix unsafe object deserialization in RubyGems (CVE-2017-0903).
    • ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization
      -vulnerability.patch
      Resolves: CVE-2017-0903
  • Fix an ANSI escape sequence vulnerability (CVE-2017-0899).
    Resolves: CVE-2017-0899
  • Fix a DOS vulernerability in the query command (CVE-2017-0900).
    Resolves: CVE-2017-0900
  • Fix a vulnerability in the gem installer that allowed a malicious gem
    to overwrite arbitrary files (CVE-2017-0901).
    Resolves: CVE-2017-0901
  • Fix a DNS request hijacking vulnerability (CVE-2017-0902).
    • ruby-2.2.8-lib-rubygems-fix-several-vulnerabilities-in-RubyGems.patch
      Resolves: CVE-2017-0902
  • Fix buffer underrun vulnerability in Kernel.sprintf (CVE-2017-0898).
    • ruby-2.2.8-Buffer-underrun-vulnerability-in-Kernel.sprintf.patch
      Resolves: CVE-2017-0898
  • Escape sequence injection vulnerability in the Basic
    authentication of WEBrick (CVE-2017-10784).
    • ruby-2.2.8-sanitize-any-type-of-logs.patch
      Resolves: CVE-2017-10784
  • Arbitrary heap exposure during a JSON.generate call (CVE-2017-14064).
    • ruby-2.2.8-Fix-arbitrary-heap-exposure-during-a-JSON.generate-call.patch
      Resolves: CVE-2017-14064
  • Command injection vulnerability in Net::FTP (CVE-2017-17405).
    • ruby-2.2.9-Fix-a-command-injection-vulnerability-in-Net-FTP.patch
      Resolves: CVE-2017-17405
  • Buffer underrun in OpenSSL ASN1 decode (CVE-2017-14033).
    • ruby-2.2.8-asn1-fix-out-of-bounds-read-in-decoding-constructed-objects.patch
      Resolves: CVE-2017-14033
  • Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code
    execution(CVE-2017-17790).
    • ruby-2.5.0-Fixed-command-Injection.patch
      Resolves: CVE-2017-17790

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.899 High

EPSS

Percentile

98.5%