(RHSA-2018:0585) Important: rh-ruby23-ruby security, bug fix, and enhancement update

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.

The following packages have been upgraded to a later upstream version: rh-ruby23-ruby (2.3.6), rh-ruby23-rubygems (2.5.2.2), rh-ruby23-rubygem-json (1.8.3.1), rh-ruby23-rubygem-minitest (5.8.5), rh-ruby23-rubygem-psych (2.1.0.1). (BZ#1549649)

Security Fix(es):

• ruby: Command injection vulnerability in Net::FTP (CVE-2017-17405)

• ruby: Buffer underrun vulnerability in Kernel.sprintf (CVE-2017-0898)

• rubygems: Arbitrary file overwrite due to incorrect validation of specification name (CVE-2017-0901)

• rubygems: DNS hijacking vulnerability (CVE-2017-0902)

• rubygems: Unsafe object deserialization through YAML formatted gem specifications (CVE-2017-0903)

• ruby: Escape sequence injection vulnerability in the Basic authentication of WEBrick (CVE-2017-10784)

• ruby: Buffer underrun in OpenSSL ASN1 decode (CVE-2017-14033)

• rubygems: Escape sequence in the “summary” field of gemspec (CVE-2017-0899)

• rubygems: No size limit in summary length of gem spec (CVE-2017-0900)

• ruby: Arbitrary heap exposure during a JSON.generate call (CVE-2017-14064)

• ruby: Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code execution (CVE-2017-17790)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.