Debian Security Advisory
DLA-2158-1 ruby2.1 -- LTS security update
- Date Reported:
- 25 Mar 2020
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2016-2338.
- More information:
An exploitable heap overflow vulnerability exists in the Psych::Emitter startdocument function of Ruby. In Psych::Emitter startdocument function heap buffer
headallocation is made based on tags array length. Specially constructed object passed as element of tags array can increase this array size after mentioned allocation and cause heap overflow
For Debian 8
Jessie, this problem has been fixed in version 2.1.5-2+deb8u9.
We recommend that you upgrade your ruby2.1 packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS