UbuntuUpdates.org

Package "ruby2.0-tcltk"

Name: ruby2.0-tcltk

Description:

Ruby/Tk for Ruby 2.0

Latest version: 2.0.0.484-1ubuntu2.13
Release: trusty (14.04)
Level: security
Repository: universe
Head package: ruby2.0
Homepage: http://www.ruby-lang.org/

Links


Download "ruby2.0-tcltk"


Other versions of "ruby2.0-tcltk" in Trusty

Repository Area Version
base universe 2.0.0.484-1ubuntu2
updates universe 2.0.0.484-1ubuntu2.13
PPA: Brightbox Ruby NG Experimental 2.0.0.648-654bbox1~trusty1

Changelog

Version: 2.0.0.484-1ubuntu2.13 2019-04-11 15:07:22 UTC

  ruby2.0 (2.0.0.484-1ubuntu2.13) trusty-security; urgency=medium

  * SECURITY UPDATE: Delete directory using symlink when decompressing tar,
    Escape sequence injection vulnerability in gem owner, Escape sequence
    injection vulnerability in API response handling, Arbitrary code exec,
    Escape sequence injection vulnerability in errors
    - debian/patches/CVE-2019-8320-25.patch: fix in
      lib/rubygems/command_manager.rb,
      lib/rubygems/commands/owner_command.rb,
      lib/rubygems/gemcutter_utilities.rb,
      lib/rubygems/installer.rb,
      lib/rubygems/package.rb,
      test/rubygems/test_gem_installer.rb,
      test/rubygems/test_gem_package.rb,
      test/rubygems/test_gem_text.rb.
    - CVE-2019-8320
    - CVE-2019-8321
    - CVE-2019-8322
    - CVE-2019-8323
    - CVE-2019-8324
    - CVE-2019-8325
  * Fixing expired certification that causes tests to fail
    - debian/patches/fixing_expired_SSL_certificates.patch: updating certs in
      test/net/imap/cacert.pen, test/net/imap/server.crt,
      test/net/imap/server.key.

 -- <email address hidden> (Leonidas S. Barbosa) Fri, 29 Mar 2019 12:53:02 -0300

Source diff to previous version
CVE-2019-8320 RESERVED
CVE-2019-8321 Escape sequence injection vulnerability in verbose
CVE-2019-8322 Escape sequence injection vulnerability in gem owner
CVE-2019-8323 Escape sequence injection vulnerability in API response handling
CVE-2019-8324 Installing a malicious gem may lead to arbitrary code execution
CVE-2019-8325 Escape sequence injection vulnerability in errors

Version: 2.0.0.484-1ubuntu2.11 2018-11-05 20:06:56 UTC

  ruby2.0 (2.0.0.484-1ubuntu2.11) trusty-security; urgency=medium

  * SECURITY UPDATE: Name equality check
    - debian/patches/CVE-2018-16395.patch: fix in
      ext/openssl/ossl_x509name.c.
    - CVE-2018-16395
  * SECURITY UPDATE: Tainted flags not propagted
    - debian/patches/CVE-2018-16396.patch: fix in
      pack.c, test/ruby/test_pack.rb.
    - CVE-2018-16396

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 29 Oct 2018 14:09:40 -0300

Source diff to previous version
CVE-2018-16395 RESERVED
CVE-2018-16396 RESERVED

Version: 2.0.0.484-1ubuntu2.10 2018-06-14 14:07:52 UTC

  ruby2.0 (2.0.0.484-1ubuntu2.10) trusty-security; urgency=medium

  * SECURITY UPDATE: DoS vulnerability in query command
    - debian/patches/CVE-2017-0901-0902.patch
      patch extracted from debian Wheezy.
    - CVE-2017-0901
    - CVE-2017-0902
  * SECURITY UPDATE: Remote code execution
    - debian/patches/CVE-2017-0903.patch: fix in lib/rubygems.rb,
      lib/rubygems/config_file.rb, lib/rubygems/safe_yaml.rb,
      lib/rubygems/specification.rb.
    - CVE-2017-0903
  * SECURITY UPDATE: possibly execute arbitrary commands via a crafted user name
    - debian/patches/CVE-2017-10784.patch: sanitize any type of logs in
      lib/webrick/httpstatus.rb, lib/webrick/log.rb and test/webrick/test_httpauth.rb.
    - CVE-2017-10784
  * SECURITY UPDATE: Arbitrary memory expose during a JSON.generate call
    - debian/patches/CVE-2017-14064.patch: fix this in
      ext/json/ext/generator/generator.c and ext/json/ext/generator/generator.h.
    - CVE-2017-14064
  * SECURITY UPDATE: Malicious format string - buffer overrun
    - debian/patches/CVE-2017-0898.patch: fix in sprintf.c,
      test/ruby/test_sprintf.rb.
    - CVE-2017-0898
  * SECURITY UPDATE: Response splitting attack
    - debian/patches/CVE-2017-17742*.patch: fix in webrick/httpresponse.rb,
    - CVE-2017-17742
  * SECURITY UPDATE: Deserialization untrusted data
    - debian/patches/CVE-2018-1000074.patch fix in
      lib/rubygems/commands/owner_command.rb,
    - CVE-2018-1000074
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2018-8777*.patch: fix in lib/webrick/httpresponse.rb,
      lib/webrick/httpservlet/filehandler.rb,
    - CVE-2018-8777

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 11 Jun 2018 12:03:55 -0300

Source diff to previous version
CVE-2017-0901 RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on th
CVE-2017-0902 RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to downlo
CVE-2017-0903 RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specificatio
CVE-2017-10784 The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject
CVE-2017-14064 Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using st
CVE-2017-0898 Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such
CVE-2017-17742 Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. An attac
CVE-2018-1000074 RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 a
CVE-2018-8777 In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker can pass a large HTTP request with

Version: 2.0.0.484-1ubuntu2.9 2018-04-16 19:06:55 UTC

  ruby2.0 (2.0.0.484-1ubuntu2.9) trusty-security; urgency=medium

  * SECURITY UPDATE: Directory traversal vulnerability
    - debian/patches/CVE-2018-6914.patch: fix in lib/tmpdir.rb,
      test/test_tempfile.rb.
    - CVE-2018-6914
  * SECURITY UPDATE: Buffer under-read
    - debian/patches/CVE-2018-8778.patch: fix in pack.c,
      test/ruby/test_pack.rb.
    - CVE-2018-8778
  * SECURITY UPDATE: Unintended socket
    - debian/patches/CVE-2018-8779.patch: fix in ext/socket/unixsocket.c,
      test/socket/test_unix.rb.
    - CVE-2018-8779
  * SECURITY UPDATE: Directory traversal
    - debian/patches/CVE-2018-8780.patch: fix in dir.c,
      test/ruby/test_dir.rb.
    - CVE-2018-8780

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 16 Apr 2018 11:03:32 -0300

Source diff to previous version
CVE-2018-6914 Directory traversal vulnerability in the Dir.mktmpdir method in the tmpdir library in Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5
CVE-2018-8778 In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker controlling the unpacking format (
CVE-2018-8779 In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the UNIXServer.open and UNIXSocket.open method
CVE-2018-8780 In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the Dir.open, Dir.new, Dir.entries and Dir.emp

Version: 2.0.0.484-1ubuntu2.8 2018-04-13 18:06:46 UTC

  ruby2.0 (2.0.0.484-1ubuntu2.8) trusty-security; urgency=medium

  * SECURITY REGRESSION: The fix for CVE-2018-1000074 was incomplete
    and will be addressed in a future update.

 -- <email address hidden> (Leonidas S. Barbosa) Fri, 13 Apr 2018 10:37:58 -0300




About   -   Send Feedback to @ubuntu_updates