-
ruby2.3 (2.3.3-1ubuntu1.6) artful-security; urgency=medium
* SECURITY UPDATE: Malicious format string - buffer overrun
- debian/patches/CVE-2017-0898.patch: fix in sprintf.c,
test/ruby/test_sprintf.rb.
- CVE-2017-0898
* SECURITY UPDATE: Response splitting attack
- debian/patches/CVE-2017-17742.patch: fix in webrick/httpresponse.rb,
test/webrick/test_httpresponse.rb.
- CVE-2017-17742
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2018-8777*.patch: fix in lib/webrick/httpresponse.rb,
lib/webrick/httpservlet/filehandler.rb,
test/webrick/test_filehandler.rb, test/webrick/test_httpresponse.rb.
- CVE-2018-8777
-- <email address hidden> (Leonidas S. Barbosa) Mon, 11 Jun 2018 10:06:34 -0300
-
ruby2.3 (2.3.3-1ubuntu1.5) artful-security; urgency=medium
* SECURITY UPDATE: Directory traversal vulnerability
- debian/patches/CVE-2018-6914.patch: fix in lib/tmpdir.rb,
test/test_tempfile.rb.
- CVE-2018-6914
* SECURITY UPDATE: Buffer under-read
- debian/patches/CVE-2018-8778.patch: fix in pack.c,
test/ruby/test_pack.rb.
- CVE-2018-8778
* SECURITY UPDATE: Unintended socket
- debian/patches/CVE-2018-8779.patch: fix in ext/socket/unixsocket.c,
test/socket/test_unix.rb.
- CVE-2018-8779
* SECURITY UPDATE: Directory traversal
- debian/patches/CVE-2018-8780.patch: fix in dir.c,
test/ruby/test_dir.rb.
- CVE-2018-8780
-- <email address hidden> (Leonidas S. Barbosa) Fri, 13 Apr 2018 13:21:34 -0300
-
ruby2.3 (2.3.3-1ubuntu1.4) artful-security; urgency=medium
* SECURITY UPDATE: Directory traversal
- debian/patches/CVE-2018-1000073.patch: fix in
lib/rubygems/package.rb.
- CVE-2018-1000073
* SECURITY UPDATE: Deserialization untrusted data
- debian/patches/CVE-2018-1000074.patch fix in
lib/rubygems/commands/owner_command.rb,
test/rubygems/test_gem_commands_owner_command.rb.
- CVE-2018-1000074
* SECURITY UPDATE: Infinite loop
- debian/patches/CVE-2018-1000075.patch: fix in
lib/rubygems/package/tar_header.rb,
test/rubygems/test_gem_package_tar_header.rb.
- CVE-2018-1000075
* SECURITY UPDATE: Improper verification of crypto
signature
- debian/patches/CVE-2018-1000076.patch: fix in
lib/rubygems/package.rb, lib/rubygems/pacage/tar_writer.rb,
test/rubygems/test_gem_pacakge.rg
- CVE-2018-1000076
* SECURITY UPDATE: Validation vulnerability
- debian/patches/CVE-2018-1000077.patch: fix in
lib/rubygems/specification.rb,
test/rubygems/test_gem_specification.rb.
- CVE-2018-1000077
* SECURITY UPDATE: Cross site scripting
- debian/patches/CVE-2018-1000078.patch: fix in
lib/rubygems/server.rb.
- CVE-2018-1000078
* SECURITY UPDATE: Directory traversal
- debian/patches/CVE-2018-1000079.patch: fix in
lib/rubygems/package.rb.
- CVE-2018-1000079
-- <email address hidden> (Leonidas S. Barbosa) Wed, 04 Apr 2018 13:23:52 -0300
-
ruby2.3 (2.3.3-1ubuntu1.3) artful-security; urgency=medium
* SECURITY UPDATE: fails to validade specification names
- debian/patches/CVE-2017-0901-0902.patch: fix this.
- CVE-2017-0901
* SECURITY UPDATE: vulnerable to a DNS hijacking
- debian/patches/CVE-2017-0901-0902.patch fix this.
- CVE-2017-0902
* SECURITY UPDATE: possible remote code execution
- debian/patches/CVE-2017-0903.patch: whitelist classes
and symbols that are in Gem spec YAML in lib/rubygems.rb,
lib/rubygens/config_file.rb, lib/rubygems/package.rb,
lib/rubygems/package/old.rb, lib/rubygems/safe_yaml.rb,
lib/rubygems/specification.rb.
- CVE-2017-0903
-- <email address hidden> (Leonidas S. Barbosa) Tue, 30 Jan 2018 15:00:37 -0300
-
ruby2.3 (2.3.3-1ubuntu1.2) artful-security; urgency=medium
* SECURITY UPDATE: possible command injection attacks through
kernel#open
- debian/patches/CVE-2017-17790.patch: fix uses of Kernel#open in
lib/resolv.rb.
- CVE-2017-17790
* SECURITY UPDATE: possibly execute arbitrary commands via a crafted user name
- debian/patches/CVE-2017-10784.patch: sanitize any type of logs in
lib/webrick/httpstatus.rb, lib/webrick/log.rb and test/webrick/test_httpauth.rb.
- CVE-2017-10784
* SECURITY UPDATE: denial of service via a crafted string
- debian/patches/CVE-2017-14033.patch: fix in ext/openssl/ossl_asn1.c.
- CVE-2017-14033
* SECURITY UPDATE: Arbitrary memory expose during a JSON.generate call
- debian/patches/CVE-2017-14064.patch: fix this in
ext/json/ext/generator/generator.c and ext/json/ext/generator/generator.h.
-- <email address hidden> (Leonidas S. Barbosa) Tue, 09 Jan 2018 11:41:26 -0300
-
ruby2.3 (2.3.3-1ubuntu1.1) artful-security; urgency=medium
* SECURITY UPDATE: command injection through Net::FTP
- debian/patches/CVE-2017-17405.patch: fix command injection
in lib/net/ftp.rb, test/net/ftp/test_ftp.rb.
- CVE-2017-17405
* Exclude some tests that fails in launchpad
- debian/patches/0090-Exclude-tests-that-fail-on-Ubuntu-builds.patch
* Fixing issues in build with gcc7 and adding new symbols since this
patch/fix requires it
- debian/patches/fixing-gcc7-build-issue.patch (Closes: #853648)
-- <email address hidden> (Leonidas S. Barbosa) Tue, 02 Jan 2018 09:40:17 -0300
-
ruby2.3 (2.3.3-1ubuntu1) artful; urgency=medium
* SECURITY UPDATE: SMTP command injection
- debian/patches/CVE-2015-9096.patch: don't allow bare CR or LF in
lib/net/smtp.rb, added test to test/net/smtp/test_smtp.rb.
- CVE-2015-9096
* SECURITY UPDATE: use of same initialization vector (IV)
- debian/patches/CVE-2016-7798.patch: don't set dummy key in
ext/openssl/ossl_cipher.c, added test to test/openssl/test_cipher.rb.
- CVE-2016-7798
-- Marc Deslauriers <email address hidden> Fri, 16 Jun 2017 10:27:43 -0400
-
ruby2.3 (2.3.3-1) unstable; urgency=medium
* New upstream version.
-- Christian Hofstaedtler <email address hidden> Tue, 22 Nov 2016 12:32:41 +0000