Login
Newsletter
Werbung
Sicherheit: Mehrere Probleme in Ruby (Aktualisierung)
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in Ruby (Aktualisierung)
ID: USN-3685-2
Distribution: Ubuntu
Plattformen: Ubuntu 14.04 ESM
Datum: Fr, 26. März 2021, 00:00
Referenzen: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8777
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17742
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0901
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000074
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0902
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14064
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0898
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0903
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10784
Applikationen: Ruby
Update von: Mehrere Probleme in Ruby

Originalnachricht

 

--===============6896442753138847837==
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature";
 boundary="ocvevo6nmnru5rjp"
Content-Disposition: inline


--ocvevo6nmnru5rjp
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

==========================================================================
Ubuntu Security Notice USN-3685-2
March 25, 2021

ruby2.0 regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 ESM

Summary:

USN-3685-1 introduced a regression in Ruby.

Software Description:
- ruby2.0: Object-oriented scripting language

Details:

USN-3685-1 fixed a vulnerability in Ruby. The fix for CVE-2017-0903 introduced
a regression in Ruby. This update fixes the problem.

Original advisory details:

Some of these CVE were already addressed in previous
USN: 3439-1, 3553-1, 3528-1. Here we address for
the remain releases.

It was discovered that Ruby incorrectly handled certain inputs.
An attacker could use this to cause a buffer overrun. (CVE-2017-0898)

It was discovered that Ruby incorrectly handled certain files.
An attacker could use this to overwrite any file on the filesystem.
(CVE-2017-0901)

It was discovered that Ruby was vulnerable to a DNS hijacking vulnerability.
An attacker could use this to possibly force the RubyGems client to download
and install gems from a server that the attacker controls. (CVE-2017-0902)

It was discovered that Ruby incorrectly handled certain YAML files.
An attacker could use this to possibly execute arbitrary code. (CVE-2017-0903)

It was discovered that Ruby incorrectly handled certain files.
An attacker could use this to expose sensitive information.
(CVE-2017-14064)

It was discovered that Ruby incorrectly handled certain inputs.
An attacker could use this to execute arbitrary code. (CVE-2017-10784)

It was discovered that Ruby incorrectly handled certain network requests.
An attacker could possibly use this to inject a crafted key into a HTTP
response. (CVE-2017-17742)

It was discovered that Ruby incorrectly handled certain files.
An attacker could possibly use this to execute arbitrary code.
This update is only addressed to ruby2.0. (CVE-2018-1000074)

It was discovered that Ruby incorrectly handled certain network requests.
An attacker could possibly use this to cause a denial of service.
(CVE-2018-8777)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 ESM:
  libruby2.0                      2.0.0.484-1ubuntu2.13+esm1
  ruby2.0                         2.0.0.484-1ubuntu2.13+esm1

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-3685-2
  https://ubuntu.com/security/notices/USN-3685-1
  CVE-2017-0903, https://bugs.launchpad.net/ubuntu/+source/ruby2.0/+bug/1777174

--ocvevo6nmnru5rjp
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEECtyyz6azUy6AZBzSkGeI6zGnN/8FAmBcuIUACgkQkGeI6zGn
N/9ITw/7Br51dbsudRlxUO5ng6DVPsPYdmBGHK03/JCyN2nthjWzOHP3vFEAIeDG
u0J6K/npIiIIaiZLWbhIeKqGZodpDxGIDUfN7ifr/Avs59UMLeYMq9HMc1VWiPBH
/NgqrXAECj1KQG3zlCMDOdY6hUBL74UrhiMLOlzPB0/1mtneia9uKpKh14oeDrCw
O0/hnfjHI57tFJDDYBQxcZWEQ/KNI0AMlgZ+D6+5ekFdjkIm4tI+V8cC0RqGxGke
hHcRHtST0iDEJbXicnEJ9Oo2UQokIB6YS9n3Irr8EM8NpflOxy6ML9LA82I4i8iG
qqdIVX6EmFXja0z2tagKGgO895VjPoqVGQQ9xnSnF5Ha3wkco86QyQf7Uv80vX7u
7jeKLH+JxPZ6CjEv1AbFodaphhl2Cvk2WAi1VJZQP740quoDS+d/jMWnYGD7chMh
YOAFAF23l5gZPATgrZutRReEimj8vYXYKZBoNOm7Vc3quib8ivo8zM7bqCkKJoem
7fGoDC2FSYlQVl24myyVFHjD6Sz1leYYN/rhSPr/Jek2j9POG0JFw5kEkmEraYtB
8Ths2lXHTLW7Ogu+lLrEEEXV/Fpr6VX/nd3V1ytG3SbhiNr8DjIulwd1Ntz+XgaI
IIGgxDZAvQEIjMCOwHM3VXczikTbTUgFahsb+HClhCNNvlZKoL4=
=y8k5
-----END PGP SIGNATURE-----

--ocvevo6nmnru5rjp--


--===============6896442753138847837==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

-- 
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten

141
Mach­t's gut!

51
Neue Raspber­ry Pi-Va­ri­an­te mit 8 GB RAM

0
Genode 20.05 frei­ge­ge­ben

9
Sub­ver­si­on 1.14.0-LTS vor­ge­stellt

0
»Hum­ble Ci­ties: Sky­lines Bund­le« vor­ge­stellt

0
End of Life für Co­reOS Con­tai­ner Linux ver­kün­det

32
Elek­tra 0.9.2 er­schie­nen

8
Nex­tDNS ver­lässt die Be­ta-Pha­se

23
Tu­xe­do stellt Ga­mer-Note­book vor

0
Libre Gra­phics Mee­ting be­ginnt als On­li­ne-Va­ri­an­te
 
Werbung