Debian alert DSA-3966-1 (ruby2.3)
| From: | Moritz Muehlenhoff <jmm@debian.org> | |
| To: | debian-security-announce@lists.debian.org | |
| Subject: | [SECURITY] [DSA 3966-1] ruby2.3 security update | |
| Date: | Tue, 5 Sep 2017 22:17:58 +0200 | |
| Message-ID: | <20170905201758.i4snjbljfyhxtsfg@pisco.westfalen.local> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3966-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff September 05, 2017 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ruby2.3 CVE ID : CVE-2015-9096 CVE-2016-7798 CVE-2017-0899 CVE-2017-0900 CVE-2017-0901 CVE-2017-0902 CVE-2017-14064 Multiple vulnerabilities were discovered in the interpreter for the Ruby language: CVE-2015-9096 SMTP command injection in Net::SMTP. CVE-2016-7798 Incorrect handling of initialization vector in the GCM mode in the OpenSSL extension. CVE-2017-0900 Denial of service in the RubyGems client. CVE-2017-0901 Potential file overwrite in the RubyGems client. CVE-2017-0902 DNS hijacking in the RubyGems client. CVE-2017-14064 Heap memory disclosure in the JSON library. For the stable distribution (stretch), these problems have been fixed in version 2.3.3-1+deb9u1. This update also hardens RubyGems against malicious termonal escape sequences (CVE-2017-0899). We recommend that you upgrade your ruby2.3 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlmvBdcACgkQEMKTtsN8 TjZ4lA/+OnJv4dBBAoaGZkDusm2OtBRUZTjH19i1CqwrP6BrSt7tlGXRx9y9rSES uwLYy0C6CIFpsubUUwtM0bUksDO9/uQ2oqzIXj+iSkkRmZPeqLtrYYyhRLbvmUyL LSYYAcZ4olk61XffsRC+lfmSINQ1CgFo1W6HuCdPAaitsXXSCKqdI1IBFoXCH0KQ lwQzD3lQaldqq4aqJTk8Lp4ubx4ZZfJtq7V7BLayUTpsvaqarbkpSneCUMY8/GBP 4TvGFXW8cco1DneG4EpaKuIvo8RVr5QbnBu/a9egBX/qseCkn37d951PFS8HyMWN APmRssNzKkeXzUCAKwJ5scXQnCILW3KNkQlaX1Tc+wV+FET6EHK9puAaEqJGpLDT hkO0RenljeyJaQdkYhs53F6gOpL+wYNgMi7J2at/pOA/UEfs7UTREntFE69a4KLo 3N5FrXNlo9CpLCUHcvw230gF5dRIa7vqdE+abZewl4UTULJ5cE+NmEm+0dUJi0AD Nf/T7+L7k0XsGhCQR9YtbLJQPzxArKfzVmInKOJZupO9IDWWG0o1cGVeDDkbNzya 8b9fgNl7WhS0bwl7cilx1sbnPq4QF+tCnldXOqVjzfmEIaKH7NfMSHdedW1z3Erf n5lSEM+bMaCR5CJFlB57v1ur8wPmB1jSJUKuhfLFNQCIfqYEuPI= =2Vkr -----END PGP SIGNATURE-----