Debian Local Security Checks : Debian LTS: Security Advisory for ruby2.1 (DLA-1480-1)

Búsqueda de Vulnerabilidad		Buscar 219043 Descripciones CVE y 99761 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.891480

Categoría: Debian Local Security Checks

Título: Debian LTS: Security Advisory for ruby2.1 (DLA-1480-1)

Resumen: Several vulnerabilities were discovered in Ruby 2.1.;;CVE-2016-2337;;Type confusion exists in _cancel_eval Ruby's TclTkIp class;method. Attacker passing different type of object than String as;'retval' argument can cause arbitrary code execution.;;CVE-2018-1000073;;RubyGems contains a Directory Traversal vulnerability in;install_location function of package.rb that can result in path;traversal when writing to a symlinked basedir outside of the root.;;CVE-2018-1000074;;RubyGems contains a Deserialization of Untrusted Data;vulnerability in owner command that can result in code;execution. This attack appear to be exploitable via victim must;run the `gem owner` command on a gem with a specially crafted YAML;file.

Descripción: Summary:
Several vulnerabilities were discovered in Ruby 2.1.

CVE-2016-2337

Type confusion exists in _cancel_eval Ruby's TclTkIp class
method. Attacker passing different type of object than String as
'retval' argument can cause arbitrary code execution.

CVE-2018-1000073

RubyGems contains a Directory Traversal vulnerability in
install_location function of package.rb that can result in path
traversal when writing to a symlinked basedir outside of the root.

CVE-2018-1000074

RubyGems contains a Deserialization of Untrusted Data
vulnerability in owner command that can result in code
execution. This attack appear to be exploitable via victim must
run the `gem owner` command on a gem with a specially crafted YAML
file.

Affected Software/OS:
ruby2.1 on Debian Linux

Solution:
For Debian 8 'Jessie', these problems have been fixed in version
2.1.5-2+deb8u5.

We recommend that you upgrade your ruby2.1 packages.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2016-2337
BugTraq ID: 91233
http://www.securityfocus.com/bid/91233
https://security.gentoo.org/glsa/201710-18
http://www.talosintelligence.com/reports/TALOS-2016-0031/
https://lists.debian.org/debian-lts-announce/2018/08/msg00028.html

Copyright Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net

Esta es sólo una de 99761 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.891480
Categoría:	Debian Local Security Checks
Título:	Debian LTS: Security Advisory for ruby2.1 (DLA-1480-1)
Resumen:	Several vulnerabilities were discovered in Ruby 2.1.;;CVE-2016-2337;;Type confusion exists in _cancel_eval Ruby's TclTkIp class;method. Attacker passing different type of object than String as;'retval' argument can cause arbitrary code execution.;;CVE-2018-1000073;;RubyGems contains a Directory Traversal vulnerability in;install_location function of package.rb that can result in path;traversal when writing to a symlinked basedir outside of the root.;;CVE-2018-1000074;;RubyGems contains a Deserialization of Untrusted Data;vulnerability in owner command that can result in code;execution. This attack appear to be exploitable via victim must;run the `gem owner` command on a gem with a specially crafted YAML;file.
Descripción:	Summary: Several vulnerabilities were discovered in Ruby 2.1. CVE-2016-2337 Type confusion exists in _cancel_eval Ruby's TclTkIp class method. Attacker passing different type of object than String as 'retval' argument can cause arbitrary code execution. CVE-2018-1000073 RubyGems contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. CVE-2018-1000074 RubyGems contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the `gem owner` command on a gem with a specially crafted YAML file. Affected Software/OS: ruby2.1 on Debian Linux Solution: For Debian 8 'Jessie', these problems have been fixed in version 2.1.5-2+deb8u5. We recommend that you upgrade your ruby2.1 packages. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2016-2337 BugTraq ID: 91233 http://www.securityfocus.com/bid/91233 https://security.gentoo.org/glsa/201710-18 http://www.talosintelligence.com/reports/TALOS-2016-0031/ https://lists.debian.org/debian-lts-announce/2018/08/msg00028.html
Copyright	Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net