UbuntuUpdates.org

Package "ruby1.9.1"

Name: ruby1.9.1

Description:

Interpreter of object-oriented scripting language Ruby

Latest version: 1.9.3.484-2ubuntu1.11
Release: trusty (14.04)
Level: updates
Repository: main
Homepage: http://www.ruby-lang.org/

Links

Save this URL for the latest version of "ruby1.9.1": https://www.ubuntuupdates.org/ruby1.9.1


Download "ruby1.9.1"


Other versions of "ruby1.9.1" in Trusty

Repository Area Version
base universe 1.9.3.484-2ubuntu1
base main 1.9.3.484-2ubuntu1
security main 1.9.3.484-2ubuntu1.11
security universe 1.9.3.484-2ubuntu1.11
updates universe 1.9.3.484-2ubuntu1.11
PPA: Brightbox Ruby NG Experimental 1:1.9.3.551-557bbox8~trusty1

Packages in group

Deleted packages are displayed in grey.

libruby1.9.1 libruby1.9.1-dbg ruby1.9.1-dev ruby1.9.1-examples

Changelog

Version: 1.9.3.484-2ubuntu1.11 2018-04-16 21:07:17 UTC

  ruby1.9.1 (1.9.3.484-2ubuntu1.11) trusty-security; urgency=medium

  * SECURITY UPDATE: Directory traversal vulnerability
    - debian/patches/CVE-2018-6914.patch: fix in lib/tmpdir.rb,
      test/test_tempfile.rb.
    - CVE-2018-6914
  * SECURITY UPDATE: Buffer under-read
    - debian/patches/CVE-2018-8778.patch: fix in pack.c,
      test/ruby/test_pack.rb.
    - CVE-2018-8778
  * SECURITY UPDATE: Unintended socket
    - debian/patches/CVE-2018-8779.patch: fix in ext/socket/unixsocket.c,
      test/socket/test_unix.rb.
    - CVE-2018-8779
  * SECURITY UPDATE: Directory traversal
    - debian/patches/CVE-2018-8780.patch: fix in dir.c,
      test/ruby/test_dir.rb.
    - CVE-2018-8780

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 16 Apr 2018 10:52:29 -0300

Source diff to previous version
CVE-2018-6914 Directory traversal vulnerability in the Dir.mktmpdir method in the tmpdir library in Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5
CVE-2018-8778 In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker controlling the unpacking format (
CVE-2018-8779 In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the UNIXServer.open and UNIXSocket.open method
CVE-2018-8780 In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the Dir.open, Dir.new, Dir.entries and Dir.emp

Version: 1.9.3.484-2ubuntu1.10 2018-04-13 19:06:40 UTC

  ruby1.9.1 (1.9.3.484-2ubuntu1.10) trusty-security; urgency=medium

  * SECURITY REGRESSION: The fix for CVE-2018-1000074 was incomplete
    and will be addressed in a future update.

 -- <email address hidden> (Leonidas S. Barbosa) Fri, 13 Apr 2018 09:53:54 -0300

Source diff to previous version

Version: 1.9.3.484-2ubuntu1.8 2018-04-05 18:06:49 UTC

  ruby1.9.1 (1.9.3.484-2ubuntu1.8) trusty-security; urgency=medium

  * SECURITY UPDATE: Deserialization untrusted data
    - debian/patches/CVE-2018-1000074*.patch fix in
      lib/rubygems/commands/owner_command.rb,
      test/rubygems/test_gem_commands_owner_command.rb.
    - CVE-2018-1000074
  * SECURITY UPDATE: Infinite loop
    - debian/patches/CVE-2018-1000075.patch: fix in
      lib/rubygems/package/tar_header.rb,
      test/rubygems/test_gem_package_tar_header.rb.
    - CVE-2018-1000075
  * SECURITY UPDATE: Validation vulnerability
    - debian/patches/CVE-2018-1000077.patch: fix in
      lib/rubygems/specification.rb,
      test/rubygems/test_gem_specification.rb.
    - CVE-2018-1000077
  * SECURITY UPDATE: Cross site scripting
    - debian/patches/CVE-2018-1000078.patch: fix in
      lib/rubygems/server.rb.
    - CVE-2018-1000078

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 02 Apr 2018 16:24:32 -0300

Source diff to previous version

Version: 1.9.3.484-2ubuntu1.7 2018-01-10 17:07:02 UTC

  ruby1.9.1 (1.9.3.484-2ubuntu1.7) trusty-security; urgency=medium

  * SECURITY UPDATE: possible command injection attacks through
    kernel#open
    - debian/patches/CVE-2017-17790.patch: fix uses of Kernel#open in
      lib/resolv.rb.
    - CVE-2017-17790

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 08 Jan 2018 17:41:26 -0300

Source diff to previous version
CVE-2017-17790 The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3 uses Kernel#open, which might allow Command Injection attacks, as demonstrated by

Version: 1.9.3.484-2ubuntu1.6 2018-01-04 18:06:23 UTC

  ruby1.9.1 (1.9.3.484-2ubuntu1.6) trusty-security; urgency=medium

  * SECURITY UPDATE: command injection through Net::FTP
    - debian/patches/CVE-2017-17405.patch: fix command injection
      in lib/net/ftp.rb.
    - CVE-2017-17405

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 18 Dec 2017 14:36:12 -0300

CVE-2017-17405 Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to



About   -   Send Feedback to @ubuntu_updates