[FREEBSD:AFC60484-0652-440E-B01A-5EF814747F06] ruby -- multiple vulnerabilities
Severity
Critical
Affected Packages
1
CVEs
2
Ruby news:
CVE-2018-16395: OpenSSL::X509::Name equality check does not work
correctly
An instance of OpenSSL::X509::Name contains entities such as CN, C and
so on. Some two instances of OpenSSL::X509::Name are equal only when
all entities are exactly equal. However, there is a bug that the
equality check is not correct if the value of an entity of the
argument (right-hand side) starts with the value of the receiver
(left-hand side). So, if a malicious X.509 certificate is passed to
compare with an existing certificate, there is a possibility to be
judged incorrectly that they are equal.
CVE-2018-16396: Tainted flags are not propagated in Array#pack and
String#unpack with some directives
Array#pack method converts the receiver's contents into a string with
specified format. If the receiver contains some tainted objects, the
returned string also should be tainted. String#unpack method which
converts the receiver into an array also should propagate its tainted
flag to the objects contained in the returned array. But, with B, b, H
and h directives, the tainted flags are not propagated. So, if a script
processes unreliable inputs by Array#pack and/or String#unpack with
these directives and checks the reliability with tainted flags, the
check might be wrong.
| Package | Affected Version |
|---|---|
 pkg:freebsd/ruby
|
< 2.3.8,1 |
- ID
- FREEBSD:AFC60484-0652-440E-B01A-5EF814747F06
- Severity
- critical
- Severity from
- CVE-2018-16395
- URL
- http://vuxml.freebsd.org/freebsd/afc60484-0652-440e-b01a-5ef814747f06.html
- Published
-
2018-10-17T00:00:00
(6 years ago) - Modified
-
2018-10-20T00:00:00
(6 years ago) - Rights
- FreeBSD VuXML Security Team
- Other Advisories
-
-
ALAS-2018-1113
-
ALAS-2020-1416
-
ALAS2-2019-1143
-
ALAS2-2019-1276
-
ALPINE:CVE-2018-16395
-
ALPINE:CVE-2018-16396
-
DSA-4332-1
-
ELSA-2018-3738
-
ELSA-2019-2028
-
FEDORA-2018-190ecd2ef8
-
FEDORA-2018-319b9d0f68
-
FEDORA-2018-6070bcf454
-
MS:CVE-2018-16395
-
openSUSE-SU-2019:1771-1
-
RHSA-2018:3738
-
RHSA-2019:2028
-
RUBYSEC:OPENSSL-2018-16395
-
SUSE-SU-2019:1804-1
-
SUSE-SU-2020:1570-1
-
USN-3808-1
-
| Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
|---|---|---|---|---|---|---|---|
| Affected | pkg:freebsd/ruby |
ruby
|
< 2.3.8,1 |
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |