Debian Security Advisory
DLA-1480-1 ruby2.1 -- LTS security update
- Date Reported:
- 27 Aug 2018
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 895778, Bug 851161.
In Mitre's CVE dictionary: CVE-2016-2337, CVE-2018-1000073, CVE-2018-1000074.
- More information:
Several vulnerabilities were discovered in Ruby 2.1.
Type confusion exists in _cancel_eval Ruby's TclTkIp class method. Attacker passing different type of object than String as
retvalargument can cause arbitrary code execution.
RubyGems contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root.
RubyGems contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the
gem ownercommand on a gem with a specially crafted YAML file.
For Debian 8
Jessie, these problems have been fixed in version 2.1.5-2+deb8u5.
We recommend that you upgrade your ruby2.1 packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS