[USN-3553-1] Ruby vulnerabilities
Leonidas S. Barbosa
leo.barbosa at canonical.com
Wed Jan 31 15:13:56 UTC 2018
Ubuntu Security Notice USN-3553-1
January 31, 2018
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.10
- Ubuntu 16.04 LTS
Several security issues were fixed in Ruby.
- ruby2.3: Interpreter of object-oriented scripting language Ruby
It was discovered that Ruby failed to validate specification names.
An attacker could possibly use a maliciously crafted gem to potentially
overwrite any file on the filesystem. (CVE-2017-0901)
It was discovered that Ruby was vulnerable to a DNS hijacking
vulnerability. An attacker could use this to possibly force the
RubyGems client to download and install gems from a server that the
attacker controls. (CVE-2017-0902)
It was discovered that Ruby incorrectly handled certain YAML files. An
attacker could use this to possibly execute arbitrary code.
The problem can be corrected by updating your system to the following
Ubuntu 16.04 LTS:
In general, a standard system update will make all the necessary
CVE-2017-0901, CVE-2017-0902, CVE-2017-0903
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: This is a digitally signed message part
More information about the ubuntu-security-announce