Package "ruby1.9.1"
Name: |
ruby1.9.1
|
Description: |
Interpreter of object-oriented scripting language Ruby
|
Latest version: |
1.9.3.484-2ubuntu1.14 |
Release: |
trusty (14.04) |
Level: |
updates |
Repository: |
main |
Homepage: |
http://www.ruby-lang.org/ |
Links
Download "ruby1.9.1"
Other versions of "ruby1.9.1" in Trusty
Packages in group
Deleted packages are displayed in grey.
Changelog
ruby1.9.1 (1.9.3.484-2ubuntu1.8) trusty-security; urgency=medium
* SECURITY UPDATE: Deserialization untrusted data
- debian/patches/CVE-2018-1000074*.patch fix in
lib/rubygems/commands/owner_command.rb,
test/rubygems/test_gem_commands_owner_command.rb.
- CVE-2018-1000074
* SECURITY UPDATE: Infinite loop
- debian/patches/CVE-2018-1000075.patch: fix in
lib/rubygems/package/tar_header.rb,
test/rubygems/test_gem_package_tar_header.rb.
- CVE-2018-1000075
* SECURITY UPDATE: Validation vulnerability
- debian/patches/CVE-2018-1000077.patch: fix in
lib/rubygems/specification.rb,
test/rubygems/test_gem_specification.rb.
- CVE-2018-1000077
* SECURITY UPDATE: Cross site scripting
- debian/patches/CVE-2018-1000078.patch: fix in
lib/rubygems/server.rb.
- CVE-2018-1000078
-- <email address hidden> (Leonidas S. Barbosa) Mon, 02 Apr 2018 16:24:32 -0300
|
Source diff to previous version |
ruby1.9.1 (1.9.3.484-2ubuntu1.7) trusty-security; urgency=medium
* SECURITY UPDATE: possible command injection attacks through
kernel#open
- debian/patches/CVE-2017-17790.patch: fix uses of Kernel#open in
lib/resolv.rb.
- CVE-2017-17790
-- <email address hidden> (Leonidas S. Barbosa) Mon, 08 Jan 2018 17:41:26 -0300
|
Source diff to previous version |
CVE-2017-17790 |
The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3 uses Kernel#open, which might allow Command Injection attacks, as demonstrated by |
|
ruby1.9.1 (1.9.3.484-2ubuntu1.6) trusty-security; urgency=medium
* SECURITY UPDATE: command injection through Net::FTP
- debian/patches/CVE-2017-17405.patch: fix command injection
in lib/net/ftp.rb.
- CVE-2017-17405
-- <email address hidden> (Leonidas S. Barbosa) Mon, 18 Dec 2017 14:36:12 -0300
|
Source diff to previous version |
CVE-2017-17405 |
Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to |
|
ruby1.9.1 (1.9.3.484-2ubuntu1.5) trusty-security; urgency=medium
* SECURITY UPDATE: Buffer underrun vulneratiblity
- debian/patches/CVE-2017-0898-10748-14033-14064.patch
patch extracted from debian Wheezy.
- CVE-2017-0898
* SECURITY UPDATE: ANSI escape sequence vulnerability
- debian/patches/CVE-2017-0899-0900-0901.patch
patch extracted from debian Wheezy.
- CVE-2017-0899
* SECURITY UPDATE: DoS vulnerability in query command
- debian/patches/CVE-2017-0899-0900-0901-0902.patch
patch extracted from debian Wheezy.
- CVE-2017-0900
* SECURITY UPDATE: Malicious gem overwrite arbitrary files
- debian/patches/CVE-2017-0899-0900-0901.patch
patch extracted from debian Wheezy.
- CVE-2017-0901
* SECURITY UPDATE: Escape sequence injection vulnerability
- debian/patches/CVE-2017-0898-10748-14033-14064.patch
patch extracted from debian Wheezy.
- CVE-2017-10748
* SECURITY UPDATE: Buffer underrun
- debian/patches/CVE-2017-0898-10748-14033-14064.patch
patch extracted from debian Wheezy.
- CVE-2017-14033
* SECURITY UPDATE: Heap exposure
- debian/patches/CVE-2017-0898-10748-14033-14064.patch
patch extracted from debian Wheezy.
- CVE-2017-14064
-- <email address hidden> (Leonidas S. Barbosa) Tue, 03 Oct 2017 16:25:24 -0300
|
Source diff to previous version |
CVE-2017-0898 |
Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such |
CVE-2017-0899 |
RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem |
CVE-2017-0900 |
RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clie |
CVE-2017-0901 |
RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on th |
CVE-2017-1074 |
RESERVED |
CVE-2017-1403 |
RESERVED |
CVE-2017-1406 |
RESERVED |
|
ruby1.9.1 (1.9.3.484-2ubuntu1.3) trusty-security; urgency=medium
* SECURITY UPDATE: DoS and possible code execution in DL::dlopen
- debian/patches/CVE-2009-5147.patch: check tainted string arguments in
ext/dl/handle.c.
- CVE-2009-5147
* SECURITY UPDATE: incorrect hostname matching
- debian/patches/CVE-2015-1855.patch: implement stricter hostname
validation per RFC 6125 in ext/openssl/lib/openssl/ssl-internal.rb,
added tests to test/openssl/test_ssl.rb.
- CVE-2015-1855
* SECURITY UPDATE: SMTP command injection
- debian/patches/CVE-2015-9096.patch: don't allow bare CR or LF in
lib/net/smtp.rb, added test to test/net/smtp/test_smtp.rb.
- CVE-2015-9096
* SECURITY UPDATE: type confusion in tcltkip
- debian/patches/CVE-2016-2337.patch: check argument in
ext/tk/tcltklib.c.
- CVE-2016-2337
* SECURITY UPDATE: heap overflow in Fiddle::Function.new
- debian/patches/CVE-2016-2339.patch: check arguments in
ext/fiddle/function.c.
- CVE-2016-2339
* SECURITY UPDATE: use of same initialization vector (IV)
- debian/patches/CVE-2016-7798.patch: don't set dummy key in
ext/openssl/ossl_cipher.c, added test to test/openssl/test_cipher.rb.
- CVE-2016-7798
-- Marc Deslauriers <email address hidden> Tue, 20 Jun 2017 08:03:20 -0400
|
CVE-2009-5147 |
DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names. |
CVE-2015-1855 |
OpenSSL extension hostname matching implementation violates RFC 6125 |
CVE-2015-9096 |
Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF |
CVE-2016-2337 |
Type confusion exists in _cancel_eval Ruby's TclTkIp class method. Attacker passing different type of object than String as "retval" argument can cau |
CVE-2016-2339 |
An exploitable heap overflow vulnerability exists in the Fiddle::Function.new "initialize" function functionality of Ruby. In Fiddle::Function.new "i |
CVE-2016-7798 |
The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier fo |
|
About
-
Send Feedback to @ubuntu_updates