|
|
Subscribe / Log in / New account

Oracle alert ELSA-2018-0378 (ruby)



From:
    	      Errata Announcements for Oracle Linux <el-errata@oss.oracle.com> 


To:
    	      el-errata@oss.oracle.com 


Subject:
    	      [El-errata] ELSA-2018-0378 Important: Oracle Linux 7 ruby security update 


Date:
    	      Wed, 28 Feb 2018 14:59:22 -0800


Message-ID:
    	      <9c483783-1602-da06-a566-47833f975ae1@oracle.com>


Oracle Linux Security Advisory ELSA-2018-0378

http://linux.oracle.com/errata/ELSA-2018-0378.html

The following updated rpms for Oracle Linux 7 have been uploaded to the 
Unbreakable Linux Network:

x86_64:
ruby-2.0.0.648-33.el7_4.x86_64.rpm
ruby-devel-2.0.0.648-33.el7_4.x86_64.rpm
ruby-doc-2.0.0.648-33.el7_4.noarch.rpm
ruby-irb-2.0.0.648-33.el7_4.noarch.rpm
ruby-libs-2.0.0.648-33.el7_4.i686.rpm
ruby-libs-2.0.0.648-33.el7_4.x86_64.rpm
ruby-tcltk-2.0.0.648-33.el7_4.x86_64.rpm
rubygem-bigdecimal-1.2.0-33.el7_4.x86_64.rpm
rubygem-io-console-0.4.2-33.el7_4.x86_64.rpm
rubygem-json-1.7.7-33.el7_4.x86_64.rpm
rubygem-minitest-4.3.2-33.el7_4.noarch.rpm
rubygem-psych-2.0.0-33.el7_4.x86_64.rpm
rubygem-rake-0.9.6-33.el7_4.noarch.rpm
rubygem-rdoc-4.0.0-33.el7_4.noarch.rpm
rubygems-2.0.14.1-33.el7_4.noarch.rpm
rubygems-devel-2.0.14.1-33.el7_4.noarch.rpm


SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/ruby-2.0.0.648-33...



Description of changes:

[2.0.0.648-33]
- Fix always passing WEBrick test.

[2.0.0.648-32]
- Add Psych.safe_load
   * ruby-2.1.0-there-should-be-only-one-exception.patch
   * ruby-2.1.0-Adding-Psych.safe_load.patch
   Related: CVE-2017-0903
- Disable Tokyo TZ tests broken by recen tzdata update.
   * ruby-2.5.0-Disable-Tokyo-TZ-tests.patch
   Related: CVE-2017-0903

[2.0.0.648-31]
- Fix unsafe object deserialization in RubyGems (CVE-2017-0903).
   * ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization
       -vulnerability.patch
   Resolves: CVE-2017-0903
- Fix an ANSI escape sequence vulnerability (CVE-2017-0899).
   Resolves: CVE-2017-0899
- Fix a DOS vulernerability in the query command (CVE-2017-0900).
   Resolves: CVE-2017-0900
- Fix a vulnerability in the gem installer that allowed a malicious gem
     to overwrite arbitrary files (CVE-2017-0901).
   Resolves: CVE-2017-0901
- Fix a DNS request hijacking vulnerability (CVE-2017-0902).
   * ruby-2.2.8-lib-rubygems-fix-several-vulnerabilities-in-RubyGems.patch
   Resolves: CVE-2017-0902
- Fix buffer underrun vulnerability in Kernel.sprintf (CVE-2017-0898).
   * ruby-2.2.8-Buffer-underrun-vulnerability-in-Kernel.sprintf.patch
   Resolves: CVE-2017-0898
- Escape sequence injection vulnerability in the Basic
     authentication of WEBrick (CVE-2017-10784).
   * ruby-2.2.8-sanitize-any-type-of-logs.patch
   Resolves: CVE-2017-10784
- Arbitrary heap exposure during a JSON.generate call (CVE-2017-14064).
   * 
ruby-2.2.8-Fix-arbitrary-heap-exposure-during-a-JSON.generate-call.patch
   Resolves: CVE-2017-14064
- Command injection vulnerability in Net::FTP (CVE-2017-17405).
   * ruby-2.2.9-Fix-a-command-injection-vulnerability-in-Net-FTP.patch
   Resolves: CVE-2017-17405
- Buffer underrun in OpenSSL ASN1 decode (CVE-2017-14033).
   * 
ruby-2.2.8-asn1-fix-out-of-bounds-read-in-decoding-constructed-objects.patch
   Resolves: CVE-2017-14033
- Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code
     execution(CVE-2017-17790).
   * ruby-2.5.0-Fixed-command-Injection.patch
   Resolves: CVE-2017-17790


_______________________________________________
El-errata mailing list
El-errata@oss.oracle.com
https://oss.oracle.com/mailman/listinfo/el-errata
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds