Univention Bugzilla – Bug 49332
ruby2.3: Multiple issues (4.4)
Last modified: 2019-04-24 13:13:07 CEST
New Debian ruby2.3 2.3.3-1+deb9u6 fixes: This update addresses the following issues: * Delete directory using symlink when decompressing tar (CVE-2019-8320) * Escape sequence injection vulnerability in verbose (CVE-2019-8321) * Escape sequence injection vulnerability in gem owner (CVE-2019-8322) * Escape sequence injection vulnerability in API response handling (CVE-2019-8323) * Installing a malicious gem may lead to arbitrary code execution (CVE-2019-8324) * Escape sequence injection vulnerability in errors (CVE-2019-8325)
--- mirror/ftp/4.3/unmaintained/4.3-3/source/ruby2.3_2.3.3-1+deb9u4.dsc +++ apt/ucs_4.4-0-errata4.4-0/source/ruby2.3_2.3.3-1+deb9u6.dsc @@ -1,3 +1,17 @@ +2.3.3-1+deb9u6 [Fri, 12 Apr 2019 20:28:46 +0200] Moritz Mühlenhoff <jmm@debian.org>: + + * CVE-2019-8320, CVE-2019-8321, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324 + * CVE-2019-8325 + +2.3.3-1+deb9u5 [Sat, 23 Feb 2019 18:31:45 -0300] Antonio Terceiro <terceiro@debian.org>: + + * Backport upstream patches to fix FTBFS due to expired SSL certificate and + timezone changes (Closes: #919999) + - imap: update test certificate + - timezone changes for Japan and Kiritimati + * test/ruby/test_gc.rb: skip entirely; some tests in there can fail + unpredictably on buildds (Closes: #912740) + 2.3.3-1+deb9u4 [Sun, 28 Oct 2018 21:49:57 +0100] Salvatore Bonaccorso <carnil@debian.org>: * Non-maintainer upload by the Security Team. <http://10.200.17.11/4.4-0/#1230547813015258793>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-0] 84f8561ebf Bug #49332: ruby2.3 2.3.3-1+deb9u6 doc/errata/staging/ruby2.3.yaml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+)
<http://errata.software-univention.de/ucs/4.4/53.html>