Debian Security Advisory
DSA-3966-1 ruby2.3 -- security update
- Date Reported:
- 05 Sep 2017
- Affected Packages:
- ruby2.3
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2015-9096, CVE-2016-7798, CVE-2017-0899, CVE-2017-0900, CVE-2017-0901, CVE-2017-0902, CVE-2017-14064.
- More information:
-
Multiple vulnerabilities were discovered in the interpreter for the Ruby language:
- CVE-2015-9096
SMTP command injection in Net::SMTP.
- CVE-2016-7798
Incorrect handling of initialization vector in the GCM mode in the OpenSSL extension.
- CVE-2017-0900
Denial of service in the RubyGems client.
- CVE-2017-0901
Potential file overwrite in the RubyGems client.
- CVE-2017-0902
DNS hijacking in the RubyGems client.
- CVE-2017-14064
Heap memory disclosure in the JSON library.
For the stable distribution (stretch), these problems have been fixed in version 2.3.3-1+deb9u1. This update also hardens RubyGems against malicious terminal escape sequences (CVE-2017-0899).
We recommend that you upgrade your ruby2.3 packages.
- CVE-2015-9096