UbuntuUpdates.org

Package "ruby1.9.1"

Name: ruby1.9.1

Description:

Interpreter of object-oriented scripting language Ruby

Latest version: 1.9.3.484-2ubuntu1.14
Release: trusty (14.04)
Level: updates
Repository: main
Homepage: http://www.ruby-lang.org/

Links


Download "ruby1.9.1"


Other versions of "ruby1.9.1" in Trusty

Repository Area Version
base universe 1.9.3.484-2ubuntu1
base main 1.9.3.484-2ubuntu1
security universe 1.9.3.484-2ubuntu1.14
security main 1.9.3.484-2ubuntu1.14
updates universe 1.9.3.484-2ubuntu1.14
PPA: Brightbox Ruby NG Experimental 1:1.9.3.551-557bbox8~trusty1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1.9.3.484-2ubuntu1.8 2018-04-05 18:06:49 UTC

  ruby1.9.1 (1.9.3.484-2ubuntu1.8) trusty-security; urgency=medium

  * SECURITY UPDATE: Deserialization untrusted data
    - debian/patches/CVE-2018-1000074*.patch fix in
      lib/rubygems/commands/owner_command.rb,
      test/rubygems/test_gem_commands_owner_command.rb.
    - CVE-2018-1000074
  * SECURITY UPDATE: Infinite loop
    - debian/patches/CVE-2018-1000075.patch: fix in
      lib/rubygems/package/tar_header.rb,
      test/rubygems/test_gem_package_tar_header.rb.
    - CVE-2018-1000075
  * SECURITY UPDATE: Validation vulnerability
    - debian/patches/CVE-2018-1000077.patch: fix in
      lib/rubygems/specification.rb,
      test/rubygems/test_gem_specification.rb.
    - CVE-2018-1000077
  * SECURITY UPDATE: Cross site scripting
    - debian/patches/CVE-2018-1000078.patch: fix in
      lib/rubygems/server.rb.
    - CVE-2018-1000078

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 02 Apr 2018 16:24:32 -0300

Source diff to previous version

Version: 1.9.3.484-2ubuntu1.7 2018-01-10 17:07:02 UTC

  ruby1.9.1 (1.9.3.484-2ubuntu1.7) trusty-security; urgency=medium

  * SECURITY UPDATE: possible command injection attacks through
    kernel#open
    - debian/patches/CVE-2017-17790.patch: fix uses of Kernel#open in
      lib/resolv.rb.
    - CVE-2017-17790

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 08 Jan 2018 17:41:26 -0300

Source diff to previous version
CVE-2017-17790 The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3 uses Kernel#open, which might allow Command Injection attacks, as demonstrated by

Version: 1.9.3.484-2ubuntu1.6 2018-01-04 18:06:23 UTC

  ruby1.9.1 (1.9.3.484-2ubuntu1.6) trusty-security; urgency=medium

  * SECURITY UPDATE: command injection through Net::FTP
    - debian/patches/CVE-2017-17405.patch: fix command injection
      in lib/net/ftp.rb.
    - CVE-2017-17405

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 18 Dec 2017 14:36:12 -0300

Source diff to previous version
CVE-2017-17405 Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to

Version: 1.9.3.484-2ubuntu1.5 2017-10-05 18:06:48 UTC

  ruby1.9.1 (1.9.3.484-2ubuntu1.5) trusty-security; urgency=medium

  * SECURITY UPDATE: Buffer underrun vulneratiblity
    - debian/patches/CVE-2017-0898-10748-14033-14064.patch
      patch extracted from debian Wheezy.
    - CVE-2017-0898
  * SECURITY UPDATE: ANSI escape sequence vulnerability
    - debian/patches/CVE-2017-0899-0900-0901.patch
      patch extracted from debian Wheezy.
    - CVE-2017-0899
  * SECURITY UPDATE: DoS vulnerability in query command
    - debian/patches/CVE-2017-0899-0900-0901-0902.patch
      patch extracted from debian Wheezy.
    - CVE-2017-0900
  * SECURITY UPDATE: Malicious gem overwrite arbitrary files
    - debian/patches/CVE-2017-0899-0900-0901.patch
      patch extracted from debian Wheezy.
    - CVE-2017-0901
  * SECURITY UPDATE: Escape sequence injection vulnerability
    - debian/patches/CVE-2017-0898-10748-14033-14064.patch
      patch extracted from debian Wheezy.
    - CVE-2017-10748
  * SECURITY UPDATE: Buffer underrun
    - debian/patches/CVE-2017-0898-10748-14033-14064.patch
      patch extracted from debian Wheezy.
    - CVE-2017-14033
  * SECURITY UPDATE: Heap exposure
    - debian/patches/CVE-2017-0898-10748-14033-14064.patch
      patch extracted from debian Wheezy.
    - CVE-2017-14064

 -- <email address hidden> (Leonidas S. Barbosa) Tue, 03 Oct 2017 16:25:24 -0300

Source diff to previous version
CVE-2017-0898 Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such
CVE-2017-0899 RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem
CVE-2017-0900 RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clie
CVE-2017-0901 RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on th
CVE-2017-1074 RESERVED
CVE-2017-1403 RESERVED
CVE-2017-1406 RESERVED

Version: 1.9.3.484-2ubuntu1.3 2017-07-25 19:06:47 UTC

  ruby1.9.1 (1.9.3.484-2ubuntu1.3) trusty-security; urgency=medium

  * SECURITY UPDATE: DoS and possible code execution in DL::dlopen
    - debian/patches/CVE-2009-5147.patch: check tainted string arguments in
      ext/dl/handle.c.
    - CVE-2009-5147
  * SECURITY UPDATE: incorrect hostname matching
    - debian/patches/CVE-2015-1855.patch: implement stricter hostname
      validation per RFC 6125 in ext/openssl/lib/openssl/ssl-internal.rb,
      added tests to test/openssl/test_ssl.rb.
    - CVE-2015-1855
  * SECURITY UPDATE: SMTP command injection
    - debian/patches/CVE-2015-9096.patch: don't allow bare CR or LF in
      lib/net/smtp.rb, added test to test/net/smtp/test_smtp.rb.
    - CVE-2015-9096
  * SECURITY UPDATE: type confusion in tcltkip
    - debian/patches/CVE-2016-2337.patch: check argument in
      ext/tk/tcltklib.c.
    - CVE-2016-2337
  * SECURITY UPDATE: heap overflow in Fiddle::Function.new
    - debian/patches/CVE-2016-2339.patch: check arguments in
      ext/fiddle/function.c.
    - CVE-2016-2339
  * SECURITY UPDATE: use of same initialization vector (IV)
    - debian/patches/CVE-2016-7798.patch: don't set dummy key in
      ext/openssl/ossl_cipher.c, added test to test/openssl/test_cipher.rb.
    - CVE-2016-7798

 -- Marc Deslauriers <email address hidden> Tue, 20 Jun 2017 08:03:20 -0400

CVE-2009-5147 DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.
CVE-2015-1855 OpenSSL extension hostname matching implementation violates RFC 6125
CVE-2015-9096 Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF
CVE-2016-2337 Type confusion exists in _cancel_eval Ruby's TclTkIp class method. Attacker passing different type of object than String as "retval" argument can cau
CVE-2016-2339 An exploitable heap overflow vulnerability exists in the Fiddle::Function.new "initialize" function functionality of Ruby. In Fiddle::Function.new "i
CVE-2016-7798 The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier fo



About   -   Send Feedback to @ubuntu_updates