Security Information / 2017 / Security Information -- DSA-3966-1 ruby2.3

Debian Security Advisory

DSA-3966-1 ruby2.3 -- security update

Date Reported:

05 Sep 2017

Affected Packages:

ruby2.3

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2015-9096, CVE-2016-7798, CVE-2017-0899, CVE-2017-0900, CVE-2017-0901, CVE-2017-0902, CVE-2017-14064.

More information:

Multiple vulnerabilities were discovered in the interpreter for the Ruby language:

• CVE-2015-9096

  SMTP command injection in Net::SMTP.

• CVE-2016-7798

  Incorrect handling of initialization vector in the GCM mode in the OpenSSL extension.

• CVE-2017-0900

  Denial of service in the RubyGems client.

• CVE-2017-0901

  Potential file overwrite in the RubyGems client.

• CVE-2017-0902

  DNS hijacking in the RubyGems client.

• CVE-2017-14064

  Heap memory disclosure in the JSON library.

For the stable distribution (stretch), these problems have been fixed in version 2.3.3-1+deb9u1. This update also hardens RubyGems against malicious terminal escape sequences (CVE-2017-0899).

We recommend that you upgrade your ruby2.3 packages.