SUSE-SU-2019:1804-1 Security update for ruby-bundled-gems-rpmhelper, ruby2.5

This update for ruby2.5 and ruby-bundled-gems-rpmhelper fixes the following issues: Changes in ruby2.5: Update to 2.5.5 and 2.5.4: https://www.ruby-lang.org/en/news/2019/03/15/ruby-2-5-5-released/ https://www.ruby-lang.org/en/news/2019/03/13/ruby-2-5-4-released/ Security issues fixed: -...

CVE-2019-11879

The WEBrick gem 1.4.2 for Ruby allows directory traversal if the attacker once had local access to create a symlink to a location outside of the web root directory. NOTE: The vendor states that this is analogous to Options FollowSymlinks in the Apache HTTP Server, and therefore it is "not a probl...

DLA-1558-1 ruby2.1 - security update

Bulletin has no description...

DSA-4247-1 ruby-rack-protection - security update

Bulletin has no description...

CVE-2018-8778

Removed by vendor...

ruby security update

2.0.0.648-33 - Fix always passing WEBrick test. 2.0.0.648-32 - Add Psych.safeload ruby-2.1.0-there-should-be-only-one-exception.patch ruby-2.1.0-Adding-Psych.safeload.patch Related: CVE-2017-0903 - Disable Tokyo TZ tests broken by recen tzdata update. ruby-2.5.0-Disable-Tokyo-TZ-tests.patch...

Ruby: Unintentional file creation caused at Tempfile with directory traversal

The Tempfile argument of basename can use ../ without escaping. Therefore, directory traversal may occur and unintended files may be generated. create file patern log vagrant@localhost $ ls . vagrant@localhost $ irb irbmain:001:0 require 'tempfile' = true irbmain:002:0...

CVE-2017-17405

Ruby before 2.4.3 allows Net::FTP command injection. Net::FTPget, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernelopen to open a local file. If the localfile argument starts with the "|" pipe character, the command following the pipe character is executed. The default...

Ruby 2.2.8 2.3.5 2.4.2 2.5.0-preview1 - NET::Ftp Command Injection

Ruby 2.2.8 2.3.5 2.4.2 2.5.0-preview1 - NET::Ftp Command Injection While using NET::Ftp I realised you could get command execution through "malicious" file names. The problem lies in the gettextfileremotefile, localfile = File.basenameremotefile method. When looking at the source code, you'll not...

SUSE-SU-2017:1067-1 Security update for ruby2.1

This ruby2.1 update to version 2.1.9 fixes the following issues: Security issues fixed: - CVE-2016-2339: heap overflow vulnerability in the Fiddle::Function.new'initialize' bsc1018808 - CVE-2015-7551: Unsafe tainted string usage in Fiddle and DL bsc959495 - CVE-2015-3900: hostname validation does...

SUSE-SU-2017:0948-1 Security update for ruby

This update for ruby fixes the following issues: Secuirty issues fixed: - CVE-2015-1855: Ruby OpenSSL Hostname Verification bsc926974 - CVE-2015-7551: Unsafe tainted string usage in Fiddle and DL bsc959495 Bugfixes: - fix small mistake in the backport for bsc986630...

Ruby: Arbitrary heap exposure in JSON.generate

Running this snippet can expose arbitrary memory: ruby require 'json' state = JSON.state.new state.space = "\0" 1024 puts JSON.generatea: :b, state "a": psych/handlers/recorder.rb tensi0 reeze Gem::Specification.new do |s| to objects of the same type as the original delegate...

Rails 4 -- Possible XSS Vulnerability in Action View

Ruby Security team reports: There is a possible XSS vulnerability in Action View. Text declared as "HTML safe" will not have quotes escaped when used as attribute values in tag helpers. This vulnerability has been assigned the CVE identifier CVE-2016-6316...

ruby193-ruby security update

1.9.3.484-50.0.1 - fix build issue: self test report 'dh key to small' 1.9.3.484-50 - Fix off-by-one stack-based buffer overflow in the encodes function CVE-2014-4975. Related: rhbz1164004 - Fix REXML billion laughs attack via parameter entity expansion CVE-2014-8080. Related: rhbz1164004 - REXML...

Oracle: Security Advisory (ELSA-2009-1140)

The remote host is missing an update for the SPDX-FileCopyrightText: 2015 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Debian DLA-235-1 : ruby1.9.1 security update

CVE-2011-0188 The VpMemAlloc function in bigdecimal.c in the BigDecimal class in Ruby 1.9.2-p136 and earlier, as used on Apple Mac OS X before 10.6.7 and other platforms, does not properly allocate memory, which allows context-dependent attackers to execute arbitrary code or cause a denial of...

[SECURITY] [DLA 172-1] libextlib-ruby security update

Package : libextlib-ruby Version : 0.9.13-2+deb6u1 CVE ID : CVE-2013-0156 Debian Bug : 697895 Import patches 633974b2759d9b92 and 4540e7102b803624 from uptream to remove symbol and YAML coercion from the XML parser...

MGASA-2014-0472 Updated ruby packages fix security vulnerabilities

Will Wood discovered that Ruby incorrectly handled the encodes function. An attacker could possibly use this issue to cause Ruby to crash, resulting in a denial of service, or possibly execute arbitrary code. The default compiler options for affected releases should reduce the vulnerability to a...

CVE-2013-6459

Cross-site scripting XSS vulnerability in the willpaginate gem before 3.0.5 for Ruby allows remote attackers to inject arbitrary web script or HTML via vectors involving generated pagination links...

MGASA-2013-0229 Updated ruby packages fix CVE-2013-4073

A vulnerability in Ruby's SSL client that could allow man-in-the-middle attackers to spoof SSL servers via valid certificate issued by a trusted certification authority CVE-2013-4073...