RHSA-2018:0585: Important: rh-ruby23-ruby security, bug fix, and enhancement update
First published: Mon Mar 26 2018(Updated: )
Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.<br>The following packages have been upgraded to a later upstream version: rh-ruby23-ruby (2.3.6), rh-ruby23-rubygems (2.5.2.2), rh-ruby23-rubygem-json (1.8.3.1), rh-ruby23-rubygem-minitest (5.8.5), rh-ruby23-rubygem-psych (2.1.0.1). (BZ#1549649)<br>Security Fix(es):<br><li> ruby: Command injection vulnerability in Net::FTP (CVE-2017-17405)</li> <li> ruby: Buffer underrun vulnerability in Kernel.sprintf (CVE-2017-0898)</li> <li> rubygems: Arbitrary file overwrite due to incorrect validation of specification name (CVE-2017-0901)</li> <li> rubygems: DNS hijacking vulnerability (CVE-2017-0902)</li> <li> rubygems: Unsafe object deserialization through YAML formatted gem specifications (CVE-2017-0903)</li> <li> ruby: Escape sequence injection vulnerability in the Basic authentication of WEBrick (CVE-2017-10784)</li> <li> ruby: Buffer underrun in OpenSSL ASN1 decode (CVE-2017-14033)</li> <li> rubygems: Escape sequence in the "summary" field of gemspec (CVE-2017-0899)</li> <li> rubygems: No size limit in summary length of gem spec (CVE-2017-0900)</li> <li> ruby: Arbitrary heap exposure during a JSON.generate call (CVE-2017-14064)</li> <li> ruby: Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code execution (CVE-2017-17790)</li> For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/rh-ruby23-ruby | <2.3.6-67.el7 | 2.3.6-67.el7 |
| redhat/rh-ruby23-ruby | <2.3.6-67.el7 | 2.3.6-67.el7 |
| redhat/rh-ruby23-ruby-debuginfo | <2.3.6-67.el7 | 2.3.6-67.el7 |
| redhat/rh-ruby23-ruby-devel | <2.3.6-67.el7 | 2.3.6-67.el7 |
| redhat/rh-ruby23-ruby-doc | <2.3.6-67.el7 | 2.3.6-67.el7 |
| redhat/rh-ruby23-ruby-irb | <2.3.6-67.el7 | 2.3.6-67.el7 |
| redhat/rh-ruby23-ruby-libs | <2.3.6-67.el7 | 2.3.6-67.el7 |
| redhat/rh-ruby23-ruby-tcltk | <2.3.6-67.el7 | 2.3.6-67.el7 |
| redhat/rh-ruby23-rubygem-bigdecimal | <1.2.8-67.el7 | 1.2.8-67.el7 |
| redhat/rh-ruby23-rubygem-io-console | <0.4.5-67.el7 | 0.4.5-67.el7 |
| redhat/rh-ruby23-rubygem-json | <1.8.3.1-67.el7 | 1.8.3.1-67.el7 |
| redhat/rh-ruby23-rubygem-minitest | <5.8.5-67.el7 | 5.8.5-67.el7 |
| redhat/rh-ruby23-rubygem-net-telnet | <0.1.1-67.el7 | 0.1.1-67.el7 |
| redhat/rh-ruby23-rubygem-psych | <2.1.0.1-67.el7 | 2.1.0.1-67.el7 |
| redhat/rh-ruby23-rubygem-rake | <10.4.2-67.el7 | 10.4.2-67.el7 |
| redhat/rh-ruby23-rubygem-rdoc | <4.2.1-67.el7 | 4.2.1-67.el7 |
| redhat/rh-ruby23-rubygem-test-unit | <3.1.5-67.el7 | 3.1.5-67.el7 |
| redhat/rh-ruby23-rubygems | <2.5.2.2-67.el7 | 2.5.2.2-67.el7 |
| redhat/rh-ruby23-rubygems-devel | <2.5.2.2-67.el7 | 2.5.2.2-67.el7 |
| redhat/rh-ruby23-ruby | <2.3.6-67.el6 | 2.3.6-67.el6 |
| redhat/rh-ruby23-ruby | <2.3.6-67.el6 | 2.3.6-67.el6 |
| redhat/rh-ruby23-ruby-debuginfo | <2.3.6-67.el6 | 2.3.6-67.el6 |
| redhat/rh-ruby23-ruby-devel | <2.3.6-67.el6 | 2.3.6-67.el6 |
| redhat/rh-ruby23-ruby-doc | <2.3.6-67.el6 | 2.3.6-67.el6 |
| redhat/rh-ruby23-ruby-irb | <2.3.6-67.el6 | 2.3.6-67.el6 |
| redhat/rh-ruby23-ruby-libs | <2.3.6-67.el6 | 2.3.6-67.el6 |
| redhat/rh-ruby23-ruby-tcltk | <2.3.6-67.el6 | 2.3.6-67.el6 |
| redhat/rh-ruby23-rubygem-bigdecimal | <1.2.8-67.el6 | 1.2.8-67.el6 |
| redhat/rh-ruby23-rubygem-io-console | <0.4.5-67.el6 | 0.4.5-67.el6 |
| redhat/rh-ruby23-rubygem-json | <1.8.3.1-67.el6 | 1.8.3.1-67.el6 |
| redhat/rh-ruby23-rubygem-minitest | <5.8.5-67.el6 | 5.8.5-67.el6 |
| redhat/rh-ruby23-rubygem-net-telnet | <0.1.1-67.el6 | 0.1.1-67.el6 |
| redhat/rh-ruby23-rubygem-psych | <2.1.0.1-67.el6 | 2.1.0.1-67.el6 |
| redhat/rh-ruby23-rubygem-rake | <10.4.2-67.el6 | 10.4.2-67.el6 |
| redhat/rh-ruby23-rubygem-rdoc | <4.2.1-67.el6 | 4.2.1-67.el6 |
| redhat/rh-ruby23-rubygem-test-unit | <3.1.5-67.el6 | 3.1.5-67.el6 |
| redhat/rh-ruby23-rubygems | <2.5.2.2-67.el6 | 2.5.2.2-67.el6 |
| redhat/rh-ruby23-rubygems-devel | <2.5.2.2-67.el6 | 2.5.2.2-67.el6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1487552
- https://bugzilla.redhat.com/show_bug.cgi?id=1487587
- https://bugzilla.redhat.com/show_bug.cgi?id=1487588
- https://bugzilla.redhat.com/show_bug.cgi?id=1487589
- https://bugzilla.redhat.com/show_bug.cgi?id=1487590
- https://bugzilla.redhat.com/show_bug.cgi?id=1491866
- https://bugzilla.redhat.com/show_bug.cgi?id=1492012
- https://bugzilla.redhat.com/show_bug.cgi?id=1492015
- https://bugzilla.redhat.com/show_bug.cgi?id=1500488
- https://bugzilla.redhat.com/show_bug.cgi?id=1526189
- https://bugzilla.redhat.com/show_bug.cgi?id=1528218
- https://bugzilla.redhat.com/show_bug.cgi?id=1549649
- https://access.redhat.com/security/updates/classification/#important
- https://access.redhat.com/errata/RHSA-2018:0585 (Advisory)
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2018:0585
- agent/software-canonical-lookup
- package-manager/redhat