ruby security update

2018-02-28T00:00:00
ID ELSA-2018-0378
Type oraclelinux
Reporter Oracle
Modified 2018-02-28T00:00:00

Description

[2.0.0.648-33] - Fix always passing WEBrick test. [2.0.0.648-32] - Add Psych.safe_load * ruby-2.1.0-there-should-be-only-one-exception.patch * ruby-2.1.0-Adding-Psych.safe_load.patch Related: CVE-2017-0903 - Disable Tokyo TZ tests broken by recen tzdata update. * ruby-2.5.0-Disable-Tokyo-TZ-tests.patch Related: CVE-2017-0903 [2.0.0.648-31] - Fix unsafe object deserialization in RubyGems (CVE-2017-0903). * ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization -vulnerability.patch Resolves: CVE-2017-0903 - Fix an ANSI escape sequence vulnerability (CVE-2017-0899). Resolves: CVE-2017-0899 - Fix a DOS vulernerability in the query command (CVE-2017-0900). Resolves: CVE-2017-0900 - Fix a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files (CVE-2017-0901). Resolves: CVE-2017-0901 - Fix a DNS request hijacking vulnerability (CVE-2017-0902). * ruby-2.2.8-lib-rubygems-fix-several-vulnerabilities-in-RubyGems.patch Resolves: CVE-2017-0902 - Fix buffer underrun vulnerability in Kernel.sprintf (CVE-2017-0898). * ruby-2.2.8-Buffer-underrun-vulnerability-in-Kernel.sprintf.patch Resolves: CVE-2017-0898 - Escape sequence injection vulnerability in the Basic authentication of WEBrick (CVE-2017-10784). * ruby-2.2.8-sanitize-any-type-of-logs.patch Resolves: CVE-2017-10784 - Arbitrary heap exposure during a JSON.generate call (CVE-2017-14064). * ruby-2.2.8-Fix-arbitrary-heap-exposure-during-a-JSON.generate-call.patch Resolves: CVE-2017-14064 - Command injection vulnerability in Net::FTP (CVE-2017-17405). * ruby-2.2.9-Fix-a-command-injection-vulnerability-in-Net-FTP.patch Resolves: CVE-2017-17405 - Buffer underrun in OpenSSL ASN1 decode (CVE-2017-14033). * ruby-2.2.8-asn1-fix-out-of-bounds-read-in-decoding-constructed-objects.patch Resolves: CVE-2017-14033 - Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code execution(CVE-2017-17790). * ruby-2.5.0-Fixed-command-Injection.patch Resolves: CVE-2017-17790