{"id":41018,"date":"2021-03-26T00:43:03","date_gmt":"2021-03-25T15:43:03","guid":{"rendered":"https:\/\/jirak.net\/wp\/usn-3685-2-ruby-regression\/"},"modified":"2021-03-26T01:34:17","modified_gmt":"2021-03-25T16:34:17","slug":"usn-3685-2-ruby-regression","status":"publish","type":"post","link":"https:\/\/jirak.net\/wp\/usn-3685-2-ruby-regression\/","title":{"rendered":"USN-3685-2: Ruby regression"},"content":{"rendered":"<p>USN-3685-2: Ruby regression<\/p>\n<p>USN-3685-1 fixed a vulnerability in Ruby. The fix for CVE-2017-0903 introduced<br \/>\na regression in Ruby. This update fixes the problem.<\/p>\n<p>Original advisory details:<\/p>\n<p>Some of these CVE were already addressed in previous<br \/>\nUSN: 3439-1, 3553-1, 3528-1. Here we address for<br \/>\nthe remain releases.<\/p>\n<p>It was discovered that Ruby incorrectly handled certain inputs.<br \/>\nAn attacker could use this to cause a buffer overrun. (CVE-2017-0898)<\/p>\n<p>It was discovered that Ruby incorrectly handled certain files.<br \/>\nAn attacker could use this to overwrite any file on the filesystem.<br \/>\n(CVE-2017-0901)<\/p>\n<p>It was discovered that Ruby was vulnerable to a DNS hijacking vulnerability.<br \/>\nAn attacker could use this to possibly force the RubyGems client to download<br \/>\nand install gems from a server that the attacker controls. (CVE-2017-0902)<\/p>\n<p>It was discovered that Ruby incorrectly handled certain YAML files.<br \/>\nAn attacker could use this to possibly execute arbitrary code. (CVE-2017-0903)<\/p>\n<p>It was discovered that Ruby incorrectly handled certain files.<br \/>\nAn attacker could use this to expose sensitive information.<br \/>\n(CVE-2017-14064)<\/p>\n<p>It was discovered that Ruby incorrectly handled certain inputs.<br \/>\nAn attacker could use this to execute arbitrary code. (CVE-2017-10784)<\/p>\n<p>It was discovered that Ruby incorrectly handled certain network requests.<br \/>\nAn attacker could possibly use this to inject a crafted key into a HTTP<br \/>\nresponse. (CVE-2017-17742)<\/p>\n<p>It was discovered that Ruby incorrectly handled certain files.<br \/>\nAn attacker could possibly use this to execute arbitrary code.<br \/>\nThis update is only addressed to ruby2.0. (CVE-2018-1000074)<\/p>\n<p>It was discovered that Ruby incorrectly handled certain network requests.<br \/>\nAn attacker could possibly use this to cause a denial of service.<br \/>\n(CVE-2018-8777)<br \/>\nSource: <a href=\"https:\/\/ubuntu.com\/security\/notices\/USN-3685-2\" target=\"_blank\" rel=\"noopener\">USN-3685-2: Ruby regression<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<div class=\"mh-excerpt\"><p>USN-3685-2: Ruby regression USN-3685-1 fixed a vulnerability in Ruby. The fix for CVE-2017-0903 introduced a regression in Ruby. This update fixes the problem. Original advisory details: Some of these CVE were already addressed in previous USN: 3439-1, 3553-1, 3528-1. Here we address for the remain releases. It was discovered that Ruby incorrectly handled certain inputs. An attacker could use this to cause a buffer overrun. (CVE-2017-0898) It was discovered that Ruby incorrectly handled certain files. An attacker could use this to overwrite any file on the filesystem. (CVE-2017-0901) It was discovered that Ruby was vulnerable to a DNS hijacking vulnerability. An attacker could use this to possibly force the RubyGems client to download and install gems from a server that the attacker controls. (CVE-2017-0902) It was discovered that Ruby incorrectly handled certain YAML files. An attacker could use this to <a class=\"mh-excerpt-more\" href=\"https:\/\/jirak.net\/wp\/usn-3685-2-ruby-regression\/\" title=\"USN-3685-2: Ruby regression\">[ more&#8230; ]<\/a><\/p>\n<\/div>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[586],"tags":[587],"class_list":["post-41018","post","type-post","status-publish","format-standard","hentry","category-ubuntu-usn","tag-ubuntu-usn"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/posts\/41018","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/comments?post=41018"}],"version-history":[{"count":1,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/posts\/41018\/revisions"}],"predecessor-version":[{"id":41019,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/posts\/41018\/revisions\/41019"}],"wp:attachment":[{"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/media?parent=41018"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/categories?post=41018"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/tags?post=41018"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}