EulerOS 2.0 SP2 : ruby (EulerOS-SA-2019-1718)

According to the versions of the ruby packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - rubygems: Installing a malicious gem may lead to arbitrary code execution CVE-2019-8324 - rubygems: Escape sequence injection vulnerability in gem...

openSUSE Security Update : ruby-bundled-gems-rpmhelper / ruby2.5 (openSUSE-2019-1771)

This update for ruby2.5 and ruby-bundled-gems-rpmhelper fixes the following issues : Changes in ruby2.5 : Update to 2.5.5 and 2.5.4 : https://www.ruby-lang.org/en/news/2019/03/15/ruby-2-5-5-released/ https://www.ruby-lang.org/en/news/2019/03/13/ruby-2-5-4-released/ Security issues fixed : -...

Important: ruby

Issue Overview: An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur. CVE-2019-8322 An issue was discovered in RubyGems 2.6 and...

Code backdoor in paranoid2

The paranoid2 gem 1.1.6 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. The current version, without this backdoor, is 1.1.5...

CVE-2019-13589

The paranoid2 gem 1.1.6 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. The current version, without this backdoor, is 1.1.5...

Code injection

The strongpassword gem 0.0.7 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. The current version, without this backdoor, is 0.0.6...

GHSA-4WM8-FJV7-J774 RubyGems Escape sequence injection in errors

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManagerrun calls alerterror without escaping, escape sequence injection is possible. There are many ways to cause an error...

RubyGems Escape sequence injection in errors

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManagerrun calls alerterror without escaping, escape sequence injection is possible. There are many ways to cause an error...

GHSA-5X32-C9MF-49CC RubyGems Delete directory using symlink when decompressing tar

A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files which now include path-checking code for symlinks, it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could...

RubyGems Delete directory using symlink when decompressing tar

A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files which now include path-checking code for symlinks, it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could...

Directory Traversal

Overview rubygems-update is an inbuilt rubygem for updating rubygems. Affected versions of this package are vulnerable to Directory Traversal. Before making new directories or touching files which now include path-checking code for symlinks, it would delete the target destination. If that...

GHSA-76WM-422Q-92MQ Code injection in RubyGems

An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensureloadablespec during the preinstall check...

Code injection in RubyGems

An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensureloadablespec during the preinstall check...

RubyGems Escape sequence injection vulnerability in verbose

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteractionverbose calls say without escaping, escape sequence injection is possible...

Arbitrary Code Injection

Overview rubygems-update is an inbuilt rubygem for updating rubygems. Affected versions of this package are vulnerable to Arbitrary Code Injection due to the Gem::UserInteractionverbose function which calls say without escaping. Remediation Upgrade rubygems-update to version 2.7.9, 3.0.3 or highe...

GHSA-FR32-GR5C-XQ5C RubyGems Escape sequence injection vulnerability in verbose

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteractionverbose calls say without escaping, escape sequence injection is possible...

RubyGems Escape sequence injection vulnerability in gem owner

An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur...

GHSA-MH37-8C3G-3FGC RubyGems Escape sequence injection vulnerability in gem owner

An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur...

Arbitrary Code Injection

Overview rubygems-update is an inbuilt rubygem for updating rubygems. Affected versions of this package are vulnerable to Arbitrary Code Injection due to the gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence...

Arbitrary Code Injection

Overview rubygems-update is an inbuilt rubygem for updating rubygems. Affected versions of this package are vulnerable to Arbitrary Code Injection. Gem::GemcutterUtilitieswithresponse may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence...