Advisories » MGASA-2017-0290

Updated ruby packages fix security vulnerabilities

Publication date: 20 Aug 2017
Modification date: 20 Aug 2017
Type: security
Affected Mageia releases : 5 , 6
CVE: CVE-2015-9096 , CVE-2016-2337 , CVE-2016-2339

Description

It was discovered that Ruby Net::SMTP incorrectly handled CRLF
sequences. A remote attacker could possibly use this issue to inject
SMTP commands. (CVE-2015-9096)

Marcin Noga discovered that Ruby incorrectly handled certain arguments
in a TclTkIp class method. An attacker could possibly use this issue to
execute arbitrary code. This issue only affected Ubuntu 14.04 LTS.
(CVE-2016-2337)

It was discovered that Ruby Fiddle::Function.new incorrectly handled
certain arguments. An attacker could possibly use this issue to execute
arbitrary code. This issue only affected Ubuntu 14.04 LTS.
(CVE-2016-2339)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=20625
• https://usn.ubuntu.com/usn/usn-3365-1/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9096
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2337
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2339

SRPMS

5/core

• ruby-2.0.0.p648-1.4.mga5

6/core

• ruby-2.2.7-1.mga6