[Secure-testing-team] Bug#873802: Multiple vulnerabilities in rubygems (CVE-2017-0899 to CVE-2017-0902)
Raphael Hertzog
hertzog at debian.org
Thu Aug 31 10:15:00 UTC 2017
Source: ruby2.3
X-Debbugs-CC: team at security.debian.org secure-testing-team at lists.alioth.debian.org
Severity: important
Tags: security
Hi,
the following vulnerabilities were published for ruby2.3. They affect rubygems
more specifically.
CVE-2017-0902[0]:
DNS issue
CVE-2017-0901[1]:
overwrite any file
CVE-2017-0900[2]:
query command
CVE-2017-0899[3]:
ANSI escape issue
Some patches are available here:
https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/
The fixes should also be available in (upcoming) ruby 2.3.5 and ruby 2.4.2.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-0902
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0902
[1] https://security-tracker.debian.org/tracker/CVE-2017-0901
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0901
[2] https://security-tracker.debian.org/tracker/CVE-2017-0900
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0900
[3] https://security-tracker.debian.org/tracker/CVE-2017-0899
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0899
Please adjust the affected versions in the BTS as needed.
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
More information about the Secure-testing-team
mailing list