[SECURITY] [DLA 1336-1] rubygems security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1336-1] rubygems security update
From: "Santiago R.R." <santiagorr@riseup.net>
Date: Sun, 1 Apr 2018 19:18:32 +0200
Message-id: <[🔎] 20180401122517.GA11987@novelo>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

Package        : rubygems
Version        : 1.8.24-1+deb7u2
CVE ID         : CVE-2018-1000075 CVE-2018-1000076 CVE-2018-1000077 CVE-2018-1000078

Multiple vulnerabilities were found in rubygems, a package management framework
for Ruby. 

CVE-2018-1000075

    A negative size vulnerability in ruby gem package tar header that could
    cause an infinite loop.

CVE-2018-1000076

    Ruby gems package improperly verifies cryptographic signatures. A mis-signed
    gem could be installed if the tarball contains multiple gem signatures.

CVE-2018-1000077

    An improper input validation vulnerability in ruby gems specification
    homepage attribute could allow malicious gem to set an invalid homepage
    URL.

CVE-2018-1000078

    Cross Site Scripting (XSS) vulnerability in gem server display of homepage
    attribute

For Debian 7 "Wheezy", these problems have been fixed in version
1.8.24-1+deb7u2.

We recommend that you upgrade your rubygems packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to:

Next by Date: [SECURITY] [DLA 1337-1] jruby security update
Next by thread: [SECURITY] [DLA 1337-1] jruby security update
Index(es):
- Date
- Thread