[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 1480-1] ruby2.1 security update

Package        : ruby2.1
Version        : 2.1.5-2+deb8u5
CVE ID         : CVE-2016-2337 CVE-2018-1000073 CVE-2018-1000074
Debian Bug     : 895778 851161

Several vulnerabilities were discovered in Ruby 2.1.


    Type confusion exists in _cancel_eval Ruby's TclTkIp class
    method. Attacker passing different type of object than String as
    "retval" argument can cause arbitrary code execution.


    RubyGems contains a Directory Traversal vulnerability in
    install_location function of package.rb that can result in path
    traversal when writing to a symlinked basedir outside of the root.


    RubyGems contains a Deserialization of Untrusted Data
    vulnerability in owner command that can result in code
    execution. This attack appear to be exploitable via victim must
    run the `gem owner` command on a gem with a specially crafted YAML

For Debian 8 "Jessie", these problems have been fixed in version

We recommend that you upgrade your ruby2.1 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to: