Sicherheit: Ausführen beliebiger Kommandos in Ruby (Aktualisierung)

Lesezeichen hinzufügen

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============8243834970023940767==
Content-Language: en-US
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature";
boundary="------------ZAatoNue5euYPaQHm2o0R07A"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------ZAatoNue5euYPaQHm2o0R07A
Content-Type: multipart/mixed;
boundary="------------thyCMVag1ag8ScycSIEbqs66";
protected-headers="v1"
From: Julia Sarris <julia.sarris@canonical.com>
Reply-To: security@ubuntu.com
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <a9304009-3927-40f9-a2e4-2f588381e399@canonical.com>
Subject: [USN-6838-2] Ruby vulnerability

--------------thyCMVag1ag8ScycSIEbqs66
Content-Type: multipart/mixed;
boundary="------------x3cnj7DqE2sq5FX4ZE0wLH4Y"

--------------x3cnj7DqE2sq5FX4ZE0wLH4Y
Content-Type: multipart/alternative;
boundary="------------Nb2gBqWUh5dtLd9TksmwHhdR"

--------------Nb2gBqWUh5dtLd9TksmwHhdR
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64

==========================================================================

Ubuntu Security Notice USN-6838-2
February 10, 2025

ruby2.3, ruby2.5 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Ruby could be made to crash or run programs as your login if it
opened a specially crafted file.

Software Description:
- ruby2.5: Object-oriented scripting language
- ruby2.3: Object-oriented scripting language

Details:

USN-6838-1 fixed CVE-2024-27281 in Ruby 2.7, Ruby 3.0, Ruby 3.1,
and Ruby 3.2. This update provides the corresponding updates for
Ruby 2.3 and Ruby 2.5.

Original advisory details:

It was discovered that Ruby RDoc incorrectly parsed certain YAML files. If
a user or automated system were tricked into parsing a specially crafted
.rdoc_options file, a remote attacker could possibly use this issue to
execute arbitrary code. (CVE-2024-27281)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS
libruby2.5 2.5.1-1ubuntu1.16+esm3
Available with Ubuntu Pro
ruby2.5 2.5.1-1ubuntu1.16+esm3
Available with Ubuntu Pro

Ubuntu 16.04 LTS
libruby2.3 2.3.1-2~ubuntu16.04.16+esm9
Available with Ubuntu Pro
ruby2.3 2.3.1-2~ubuntu16.04.16+esm9
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6838-2
<https://ubuntu.com/security/notices/USN-6838-2>
https://ubuntu.com/security/notices/USN-6838-1
<https://ubuntu.com/security/notices/USN-6838-1>
CVE-2024-27281

--------------Nb2gBqWUh5dtLd9TksmwHhdR
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html>
<html>
<head>

<meta http-equiv=3D"Content-Type" content=3D"text/html;
charset=3DUTF=
-8">
</head>
<body>

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D
<div id=3D":1ui" class=3D"a3s aiL ">
Ubuntu Security Notice USN-6838-2 
February 10, 2025 
 
ruby2.3, ruby2.5 vulnerability 
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=
=3D=3D=3D=3D=3D 
 
A security issue affects these releases of Ubuntu and its
derivatives: 
 
- Ubuntu 18.04 LTS 
- Ubuntu 16.04 LTS 
 
Summary: 
 
Ruby could be made to crash or run programs as your login if
it =

opened a specially crafted file. 
 
Software Description: 
- ruby2.5: Object-oriented scripting language 
- ruby2.3: Object-oriented scripting language 
 
Details: 
 
USN-6838-1 fixed CVE-2024-27281 in Ruby 2.7, Ruby 3.0, Ruby 3.1,<br=
>
and Ruby 3.2. This update provides the corresponding updates for<br=
>
Ruby 2.3 and Ruby 2.5. 
 
Original advisory details: 
 
=C2=A0It was discovered that Ruby RDoc incorrectly parsed certain Y=
AML
files. If 
=C2=A0a user or automated system were tricked into parsing a specia=
lly
crafted 
=C2=A0.rdoc_options file, a remote attacker could possibly use this=

issue to 
=C2=A0execute arbitrary code. (CVE-2024-27281) 
 
Update instructions: 
 
The problem can be corrected by updating your system to the
following 
package versions: 
 
Ubuntu 18.04 LTS 
=C2=A0 libruby2.5=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 2.5.1-1ubuntu1.16+esm3 
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Available with Ubuntu P=
ro 
=C2=A0 ruby2.5=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A02.5.1-1ubuntu1.16+esm3 
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Available with Ubuntu P=
ro 
 
Ubuntu 16.04 LTS 
=C2=A0 libruby2.3=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 2.3.1-2~ubuntu16.04.16+esm9 
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Available with Ubuntu P=
ro 
=C2=A0 ruby2.3=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A02.3.1-2~ubuntu16.04.16+esm9 
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Available with Ubuntu P=
ro 
 
In general, a standard system update will make all the necessary
changes. 
 
References: 
=C2=A0 <a href=3D"https://ubuntu.com/security/notices/USN-6838-2"
rel=3D"noreferrer" target=3D"_blank"
data-saferedirecturl=3D"https://www.google.com/url?q=3Dhttps://ubuntu.com=
/security/notices/USN-6838-2&source=3Dgmail&ust=3D173930867893400
=
0&usg=3DAOvVaw0ewFUVoyb2-LBdvIOFP_sG">https://ubuntu.com/security/no<=
wbr>tices/USN-6838-2</a> 
=C2=A0 <a href=3D"https://ubuntu.com/security/notices/USN-6838-1"
rel=3D"noreferrer" target=3D"_blank"
data-saferedirecturl=3D"https://www.google.com/url?q=3Dhttps://ubuntu.com=
/security/notices/USN-6838-1&source=3Dgmail&ust=3D173930867893400
=
0&usg=3DAOvVaw1DZ4Rw5goc0YE_bfvBY7AU">https://ubuntu.com/security/no<=
wbr>tices/USN-6838-1</a> 
=C2=A0 CVE-2024-27281
<div class=3D"yj6qo"></div>
<div class=3D"adL"> 
</div>
</div>
</body>
</html>

--------------Nb2gBqWUh5dtLd9TksmwHhdR--

--------------x3cnj7DqE2sq5FX4ZE0wLH4Y
Content-Type: application/pgp-keys;
name="OpenPGP_0x401EFCBCDA0FF1BD.asc"
Content-Disposition: attachment;
filename="OpenPGP_0x401EFCBCDA0FF1BD.asc"
Content-Description: OpenPGP public key
Content-Transfer-Encoding: quoted-printable

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsBNBGao8McBCAD/mTHpWpp0rMyhX+xQYmuj1DoCiadFZysyAyKIFXODXRSOAQ58
YTf6BEuhPtEamZq+aJEGOTBJmUZxvGMv0Fo5yBN+OGoMA2CJQwxWQCZCptfivOCI
D5p2eANebDVXpZHHgpNwCyFVZR/UfSLMqX/y2wEi1AC4CKc3ihFBWdMJVdDk6zz0
4g/x4w76CZczUpe17QWD1XuAWUxmaVGM/TiKjktq3Lp6yZrb0QSYjCovXAGwfBmz
beludDi+EMDmh76PeKWfqQ38QSPEvN+Lv6OTjPWDfilfuOPpDZA2gsjNj3TaBllL
k9YW98OrqsbegQ0BhPgoPYQ3S15ikv53M8o/ABEBAAHNKUp1bGlhIFNhcnJpcyA8
anVsaWEuc2FycmlzQGNhbm9uaWNhbC5jb20+wsCRBBMBCgA7FiEEOMd9M4Vpc6WH
Yvv+QB78vNoP8b0FAmao8McCGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AA
CgkQQB78vNoP8b3fXQf6Awx8Nd5FkMMGdrWqBjIPZv1Ogkka2+PiIqwqcIeQGvam
V/bpIKOCb4QOS4kgQ+hNS1mmK+T/aWXRCYhiBIPAOIbo7jcMGxNz7V3+43RxlNVl
zt3feYM/QAJmgK8bjdCzI5ZQHiyX8pgOieCylRrcjroQHa9CxHej4aJGCaPGLFGo
81lYWJm21NP4LJTLk03ncJT8Ss64R28cOWUHujysxftAPHVYpPLdlwuJ3lgC8M5n
eq0qwsv22j62ldd/J7u2psRSczaU1ve/TfX71ZCyZZiw2Tm5HvaskD+CilXOaL2H
+KediuEtkQk5KKQikg2XtjbqCYyIxQT50v1TIu86ss7ATQRmqPDHAQgA5zGDufJq
9MhhDPJqM3Qz4kQXLKDXz2l5EovU5olrYerGmskpUBUSwfgAeBu9gMP5Y24spir3
eMm6O7m8EJsihMPCw4Iblzi9YZZX1TY3wegRXFIiaqW5kELnjhVnRpS9WQi9FDd9
gGPp7X3iQ8/B6+nyHitqhcj2A+Vpk5HaguY8zl3yEOwFnud5TEbSb/xYz7DhX5uv
B/FZ9rgn+j2N0hC/RVN1MpSRHZEbOCfpaYr/teiQexOWBlVVnZgCkHb9F0NiNImv
dXVZ18jY5wfgxemfgm8l4nDUlSMUIMiwGYekPMEuYvoDNPwfzzlYHKrVoqp54KMd
JALMUar1bVZtxQARAQABwsB2BBgBCgAgFiEEOMd9M4Vpc6WHYvv+QB78vNoP8b0F
Amao8McCGwwACgkQQB78vNoP8b10+ggA8nW+R2g9BDvkpurM0lwpaCtgKbaENIGg
lpxNXEEUEW7AaR4Mme+4PA/SdpWrFzVa0OGhqtZxkovUZXpgiLlx5/eR1Bl+TUuO
rjZkjGBy3r2Ce1JLwKilSZk7Bk45L7QDxA+NOLSFS7ADqzv37J2jhpfczqrYdpSj
kHgUvkapbuB0ONpQ/mhH9UDquY3eMGv3GSrvggVS0mKjR6bMl1plBWcfJ+Y//xQc
6S1bBdjbmwKMZjYbvhTpPbVeUOUdOg/0mYC/3rjSO+2OEn1Q+YIdfGqbLpDAbruG
m7XHtUOXesWorhDMzQGRpj7R+ed/9uJs0Nvg5FqAKTrzh+90ngEGuA=3D=3D
=3DQkbp
-----END PGP PUBLIC KEY BLOCK-----

--------------x3cnj7DqE2sq5FX4ZE0wLH4Y--

--------------thyCMVag1ag8ScycSIEbqs66--

--------------ZAatoNue5euYPaQHm2o0R07A
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature.asc"

-----BEGIN PGP SIGNATURE-----

wsB5BAABCAAjFiEEOMd9M4Vpc6WHYvv+QB78vNoP8b0FAmeqbXEFAwAAAAAACgkQQB78vNoP8b2l
jAf+KLvsymMgLtnqIbVKFwVy4OFVBVlAuUkNTULKQelUuOhJeBcUVWnU6nYOJU45DZhzKMw8fJ+t
NXy+YjH8RvMsYy3K3E4aGreynZpzDsRNS4MkckC+IsZH0HEevnzfgoczv/N9SqxRF49V8SLOEp8h
tYfQwvvmaJFaYZfr+AOo96An6tW6CzmFsvE9CKJnn9fNhgdipjJlSTu5X9TS4c3VsaLAODfq5jQc
VSo2W7VWGdD+ff73Vta8L8J0hQvJ1FAosfp+SiSZ7O0tlaRotymSLfNjWGOlEAqI025QEDnKqofn
B6AVXonmY5MLIJj1FiRDTfPuS4nhGtJD43YxCV33IQ==
=k0aK
-----END PGP SIGNATURE-----

--------------ZAatoNue5euYPaQHm2o0R07A--

--===============8243834970023940767==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

Cg==

--===============8243834970023940767==--