[USN-3553-1] Ruby vulnerabilities

Severity Medium

Affected Packages 5

CVEs 3

Several security issues were fixed in Ruby.

It was discovered that Ruby failed to validate specification names.
An attacker could possibly use a maliciously crafted gem to potentially
overwrite any file on the filesystem. (CVE-2017-0901)

It was discovered that Ruby was vulnerable to a DNS hijacking vulnerability.
An attacker could use this to possibly force the RubyGems client to download
and install gems from a server that the attacker controls. (CVE-2017-0902)

It was discovered that Ruby incorrectly handled certain YAML files. An attacker could
use this to possibly execute arbitrary code. (CVE-2017-0903)

Package	Affected Version
pkg:deb/ubuntu/ruby2.3?distro=xenial	< 2.3.1-2~16.04.6
pkg:deb/ubuntu/ruby2.3-tcltk?distro=xenial	< 2.3.1-2~16.04.6
pkg:deb/ubuntu/ruby2.3-doc?distro=xenial	< 2.3.1-2~16.04.6
pkg:deb/ubuntu/ruby2.3-dev?distro=xenial	< 2.3.1-2~16.04.6
pkg:deb/ubuntu/libruby2.3?distro=xenial	< 2.3.1-2~16.04.6

ID

USN-3553-1

Severity

medium

URL

https://ubuntu.com/security/notices/USN-3553-1

Published

2018-01-31T14:11:10
(6 years ago)

Modified

2018-01-31T14:11:10
(6 years ago)

Other Advisories

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform
Affected	pkg:deb/ubuntu/ruby2.3?distro=xenial	ubuntu	ruby2.3	< 2.3.1-2~16.04.6	xenial
Affected	pkg:deb/ubuntu/ruby2.3-tcltk?distro=xenial	ubuntu	ruby2.3-tcltk	< 2.3.1-2~16.04.6	xenial
Affected	pkg:deb/ubuntu/ruby2.3-doc?distro=xenial	ubuntu	ruby2.3-doc	< 2.3.1-2~16.04.6	xenial
Affected	pkg:deb/ubuntu/ruby2.3-dev?distro=xenial	ubuntu	ruby2.3-dev	< 2.3.1-2~16.04.6	xenial
Affected	pkg:deb/ubuntu/libruby2.3?distro=xenial	ubuntu	libruby2.3	< 2.3.1-2~16.04.6	xenial

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date