Information on source package ruby2.3

Available versions

ReleaseVersion
stretch (security)2.3.3-1+deb9u2
buster2.3.6-2
sid2.3.6-2

Open issues

BugstretchbustersidDescription
CVE-2018-1000079vulnerablevulnerablevulnerablePath traversal issue during gem installation allows to write to arbitrary filesystem locations
CVE-2018-1000078vulnerablevulnerablevulnerableXSS vulnerability in homepage attribute when displayed via gem server
CVE-2018-1000077vulnerablevulnerablevulnerableMissing URL validation on spec home attribute allows malicious gem to set an invalid homepage URL
CVE-2018-1000076vulnerablevulnerablevulnerableImproper verification of signatures in tarball allows to install mis-signed gem
CVE-2018-1000075vulnerablevulnerablevulnerableInfinite loop vulnerability due to negative size in tar header causes Denial of Service
CVE-2018-1000074vulnerablevulnerablevulnerableUnsafe Object Deserialization Vulnerability in gem owner allowing arbitrary code execution on specially crafted YAML
CVE-2018-1000073vulnerablevulnerablevulnerablePath traversal when writing to a symlinked basedir outside of the root
CVE-2017-17790vulnerable (no DSA, postponed)vulnerablevulnerableThe lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3 ...
CVE-2017-17405vulnerable (no DSA, postponed)fixedfixedRuby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, ...

Resolved issues

BugDescription
CVE-2017-6181The parse_char_class function in regparse.c in the Onigmo (aka ...
CVE-2017-14064Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can ...
CVE-2017-14033The decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8, ...
CVE-2017-11465The parser_yyerror function in the UTF-8 parser in Ruby 2.4.1 allows ...
CVE-2017-10784The Basic authentication code in WEBrick library in Ruby before 2.2.8, ...
CVE-2017-0903RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a ...
CVE-2017-0902RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking ...
CVE-2017-0901RubyGems version 2.6.12 and earlier fails to validate specification ...
CVE-2017-0900RubyGems version 2.6.12 and earlier is vulnerable to maliciously ...
CVE-2017-0899RubyGems version 2.6.12 and earlier is vulnerable to maliciously ...
CVE-2017-0898Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious ...
CVE-2016-7798The openssl gem for Ruby uses the same initialization vector (IV) in ...
CVE-2016-2339An exploitable heap overflow vulnerability exists in the ...
CVE-2016-2337Type confusion exists in _cancel_eval Ruby's TclTkIp class method. ...
CVE-2016-2336Type confusion exists in two methods of Ruby's WIN32OLE class, ...
CVE-2015-9096Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection ...

Security announcements

DSA / DLADescription
DSA-4031-1ruby2.3 - security update
DSA-3966-1ruby2.3 - security update

Search for package or bug name: Reporting problems