RHSA-2018:0583: Important: rh-ruby22-ruby security, bug fix, and enhancement update
First published: Mon Mar 26 2018(Updated: )
Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.<br>The following packages have been upgraded to a later upstream version: rh-ruby22-ruby (2.2.9), rh-ruby22-rubygems (2.4.5.4), rh-ruby22-rubygem-psych (2.0.8.1), rh-ruby22-rubygem-json (1.8.1.1). (BZ#1549646)<br>Security Fix(es):<br><li> ruby: Command injection vulnerability in Net::FTP (CVE-2017-17405)</li> <li> ruby: Buffer underrun vulnerability in Kernel.sprintf (CVE-2017-0898)</li> <li> rubygems: Arbitrary file overwrite due to incorrect validation of specification name (CVE-2017-0901)</li> <li> rubygems: DNS hijacking vulnerability (CVE-2017-0902)</li> <li> rubygems: Unsafe object deserialization through YAML formatted gem specifications (CVE-2017-0903)</li> <li> ruby: Escape sequence injection vulnerability in the Basic authentication of WEBrick (CVE-2017-10784)</li> <li> ruby: Buffer underrun in OpenSSL ASN1 decode (CVE-2017-14033)</li> <li> ruby: DL::dlopen could open a library with tainted library name (CVE-2009-5147, CVE-2015-7551)</li> <li> rubygems: Escape sequence in the "summary" field of gemspec (CVE-2017-0899)</li> <li> rubygems: No size limit in summary length of gem spec (CVE-2017-0900)</li> <li> ruby: Arbitrary heap exposure during a JSON.generate call (CVE-2017-14064)</li> <li> ruby: Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code execution (CVE-2017-17790)</li> For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/rh-ruby22-ruby | <2.2.9-19.el7 | 2.2.9-19.el7 |
| redhat/rh-ruby22-ruby | <2.2.9-19.el7 | 2.2.9-19.el7 |
| redhat/rh-ruby22-ruby-debuginfo | <2.2.9-19.el7 | 2.2.9-19.el7 |
| redhat/rh-ruby22-ruby-devel | <2.2.9-19.el7 | 2.2.9-19.el7 |
| redhat/rh-ruby22-ruby-doc | <2.2.9-19.el7 | 2.2.9-19.el7 |
| redhat/rh-ruby22-ruby-irb | <2.2.9-19.el7 | 2.2.9-19.el7 |
| redhat/rh-ruby22-ruby-libs | <2.2.9-19.el7 | 2.2.9-19.el7 |
| redhat/rh-ruby22-ruby-tcltk | <2.2.9-19.el7 | 2.2.9-19.el7 |
| redhat/rh-ruby22-rubygem-bigdecimal | <1.2.6-19.el7 | 1.2.6-19.el7 |
| redhat/rh-ruby22-rubygem-io-console | <0.4.3-19.el7 | 0.4.3-19.el7 |
| redhat/rh-ruby22-rubygem-json | <1.8.1.1-19.el7 | 1.8.1.1-19.el7 |
| redhat/rh-ruby22-rubygem-minitest | <5.4.3-19.el7 | 5.4.3-19.el7 |
| redhat/rh-ruby22-rubygem-psych | <2.0.8.1-19.el7 | 2.0.8.1-19.el7 |
| redhat/rh-ruby22-rubygem-rake | <10.4.2-19.el7 | 10.4.2-19.el7 |
| redhat/rh-ruby22-rubygem-rdoc | <4.2.0-19.el7 | 4.2.0-19.el7 |
| redhat/rh-ruby22-rubygem-test-unit | <3.0.8-19.el7 | 3.0.8-19.el7 |
| redhat/rh-ruby22-rubygems | <2.4.5.4-19.el7 | 2.4.5.4-19.el7 |
| redhat/rh-ruby22-rubygems-devel | <2.4.5.4-19.el7 | 2.4.5.4-19.el7 |
| redhat/rh-ruby22-ruby | <2.2.9-19.el6 | 2.2.9-19.el6 |
| redhat/rh-ruby22-ruby | <2.2.9-19.el6 | 2.2.9-19.el6 |
| redhat/rh-ruby22-ruby-debuginfo | <2.2.9-19.el6 | 2.2.9-19.el6 |
| redhat/rh-ruby22-ruby-devel | <2.2.9-19.el6 | 2.2.9-19.el6 |
| redhat/rh-ruby22-ruby-doc | <2.2.9-19.el6 | 2.2.9-19.el6 |
| redhat/rh-ruby22-ruby-irb | <2.2.9-19.el6 | 2.2.9-19.el6 |
| redhat/rh-ruby22-ruby-libs | <2.2.9-19.el6 | 2.2.9-19.el6 |
| redhat/rh-ruby22-ruby-tcltk | <2.2.9-19.el6 | 2.2.9-19.el6 |
| redhat/rh-ruby22-rubygem-bigdecimal | <1.2.6-19.el6 | 1.2.6-19.el6 |
| redhat/rh-ruby22-rubygem-io-console | <0.4.3-19.el6 | 0.4.3-19.el6 |
| redhat/rh-ruby22-rubygem-json | <1.8.1.1-19.el6 | 1.8.1.1-19.el6 |
| redhat/rh-ruby22-rubygem-minitest | <5.4.3-19.el6 | 5.4.3-19.el6 |
| redhat/rh-ruby22-rubygem-psych | <2.0.8.1-19.el6 | 2.0.8.1-19.el6 |
| redhat/rh-ruby22-rubygem-rake | <10.4.2-19.el6 | 10.4.2-19.el6 |
| redhat/rh-ruby22-rubygem-rdoc | <4.2.0-19.el6 | 4.2.0-19.el6 |
| redhat/rh-ruby22-rubygem-test-unit | <3.0.8-19.el6 | 3.0.8-19.el6 |
| redhat/rh-ruby22-rubygems | <2.4.5.4-19.el6 | 2.4.5.4-19.el6 |
| redhat/rh-ruby22-rubygems-devel | <2.4.5.4-19.el6 | 2.4.5.4-19.el6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1248935
- https://bugzilla.redhat.com/show_bug.cgi?id=1487552
- https://bugzilla.redhat.com/show_bug.cgi?id=1487587
- https://bugzilla.redhat.com/show_bug.cgi?id=1487588
- https://bugzilla.redhat.com/show_bug.cgi?id=1487589
- https://bugzilla.redhat.com/show_bug.cgi?id=1487590
- https://bugzilla.redhat.com/show_bug.cgi?id=1491866
- https://bugzilla.redhat.com/show_bug.cgi?id=1492012
- https://bugzilla.redhat.com/show_bug.cgi?id=1492015
- https://bugzilla.redhat.com/show_bug.cgi?id=1500488
- https://bugzilla.redhat.com/show_bug.cgi?id=1526189
- https://bugzilla.redhat.com/show_bug.cgi?id=1528218
- https://bugzilla.redhat.com/show_bug.cgi?id=1549646
- https://access.redhat.com/security/updates/classification/#important
- https://access.redhat.com/errata/RHSA-2018:0583 (Advisory)
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2018:0583
- agent/software-canonical-lookup
- package-manager/redhat