- Vulnerability/
- USN-3365-1
USN-3365-1: Ruby vulnerabilities
First published: Tue Jul 25 2017(Updated: )
It was discovered that Ruby DL::dlopen incorrectly handled opening libraries. An attacker could possibly use this issue to open libraries with tainted names. This issue only applied to Ubuntu 14.04 LTS. (CVE-2009-5147) Tony Arcieri, Jeffrey Walton, and Steffan Ullrich discovered that the Ruby OpenSSL extension incorrectly handled hostname wildcard matching. This issue only applied to Ubuntu 14.04 LTS. (CVE-2015-1855) Christian Hofstaedtler discovered that Ruby Fiddle::Handle incorrectly handled certain crafted strings. An attacker could use this issue to cause a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS. (CVE-2015-7551) It was discovered that Ruby Net::SMTP incorrectly handled CRLF sequences. A remote attacker could possibly use this issue to inject SMTP commands. (CVE-2015-9096) Marcin Noga discovered that Ruby incorrectly handled certain arguments in a TclTkIp class method. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2016-2337) It was discovered that Ruby Fiddle::Function.new incorrectly handled certain arguments. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2016-2339) It was discovered that Ruby incorrectly handled the initialization vector (IV) in GCM mode. An attacker could possibly use this issue to bypass encryption. (CVE-2016-7798)
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| ubuntu/libruby2.3 | <2.3.3-1ubuntu0.1 | 2.3.3-1ubuntu0.1 |
| Ubuntu Ubuntu | =17.04 | |
| All of | ||
| ubuntu/ruby2.3 | <2.3.3-1ubuntu0.1 | 2.3.3-1ubuntu0.1 |
| Ubuntu Ubuntu | =17.04 | |
| All of | ||
| ubuntu/libruby2.3 | <2.3.1-2~16.04.2 | 2.3.1-2~16.04.2 |
| Ubuntu Ubuntu | =16.04 | |
| All of | ||
| ubuntu/ruby2.3 | <2.3.1-2~16.04.2 | 2.3.1-2~16.04.2 |
| Ubuntu Ubuntu | =16.04 | |
| All of | ||
| ubuntu/libruby1.9.1 | <1.9.3.484-2ubuntu1.3 | 1.9.3.484-2ubuntu1.3 |
| Ubuntu Ubuntu | =14.04 | |
| All of | ||
| ubuntu/libruby2.0 | <2.0.0.484-1ubuntu2.4 | 2.0.0.484-1ubuntu2.4 |
| Ubuntu Ubuntu | =14.04 | |
| All of | ||
| ubuntu/ruby1.9.1 | <1.9.3.484-2ubuntu1.3 | 1.9.3.484-2ubuntu1.3 |
| Ubuntu Ubuntu | =14.04 | |
| All of | ||
| ubuntu/ruby2.0 | <2.0.0.484-1ubuntu2.4 | 2.0.0.484-1ubuntu2.4 |
| Ubuntu Ubuntu | =14.04 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://ubuntu.com/security/CVE-2009-5147
- https://ubuntu.com/security/CVE-2015-1855
- https://ubuntu.com/security/CVE-2015-7551
- https://ubuntu.com/security/CVE-2015-9096
- https://ubuntu.com/security/CVE-2016-2337
- https://ubuntu.com/security/CVE-2016-2339
- https://ubuntu.com/security/CVE-2016-7798
- https://launchpad.net/ubuntu/+source/ruby2.3/2.3.3-1ubuntu0.1
- https://launchpad.net/ubuntu/+source/ruby2.3/2.3.1-2~16.04.2
- https://launchpad.net/ubuntu/+source/ruby1.9.1/1.9.3.484-2ubuntu1.3
- https://launchpad.net/ubuntu/+source/ruby2.0/2.0.0.484-1ubuntu2.4
- https://ubuntu.com/security/notices/USN-3365-1 (Advisory)
Child vulnerabilities
(Contains the following vulnerabilities)
- agent/references
- agent/severity
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/usn
- source/Ubuntu
- agent/software-canonical-lookup
- agent/title
- agent/softwarecombine
- agent/tags
- agent/description
- agent/event
- agent/trending
- package-manager/ubuntu
- vendor/ubuntu
- canonical/ubuntu ubuntu
- version/ubuntu ubuntu/17.04
- version/ubuntu ubuntu/16.04
- version/ubuntu ubuntu/14.04