Updated ruby-RubyGems packages fix security vulnerabilities
Publication date: 31 Dec 2017Modification date: 31 Dec 2017
Type: security
Affected Mageia releases : 5 , 6
CVE: CVE-2017-0899 , CVE-2017-0900 , CVE-2017-0901 , CVE-2017-0902 , CVE-2017-0903
Description
An ANSI escape sequence vulnerability (CVE-2017-0899). A DoS vulnerability in the query command (CVE-2017-0900). A vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files (CVE-2017-0901). A DNS request hijacking vulnerability (CVE-2017-0902). An unsafe object deserialization vulnerability that allows an attacker to inject an instance of an object of their choosing in the target system. A clever attacker can inject an object that is able to interact with the system in such a way that will allow the attacker to execute arbitrary code (CVE-2017-0903).
References
- https://bugs.mageia.org/show_bug.cgi?id=21639
- https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/
- http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0899
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0900
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0901
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0902
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0903
SRPMS
5/core
- ruby-RubyGems-2.1.11-5.2.mga5
6/core
- ruby-RubyGems-2.4.8-7.1.mga6