Univention Bugzilla – Bug 47684
ruby2.1: Multiple issues (4.2)
Last modified: 2018-08-29 13:43:03 CEST
New Debian ruby2.1 2.1.5-2+deb8u5 fixes: This update addresses the following issues: * TclTkIp ip_cancel_eval type confusion vulnerability (CVE-2016-2337) * Path traversal when writing to a symlinked basedir outside of the root (CVE-2018-1000073) * Unsafe Object Deserialization Vulnerability in gem owner allowing arbitrary code execution on specially crafted YAML (CVE-2018-1000074)
--- mirror/ftp/4.2/unmaintained/component/4.2-4-errata/source/ruby2.1_2.1.5-2+deb8u4.dsc +++ apt/ucs_4.2-0-errata4.2-4/source/ruby2.1_2.1.5-2+deb8u5.dsc @@ -1,3 +1,12 @@ +2.1.5-2+deb8u5 [Mon, 27 Aug 2018 15:08:54 -0400] Antoine Beaupré <anarcat@debian.org>: + + * Non-maintainer upload by the LTS Security Team. + * CVE-2018-1000074.patch: fix Deserialization of Untrusted Data + vulnerability in owner command that can result in code execution + through specially crafted YAML files. (Closes: #895778) + * CVE-2018-1000073.patch: fix directory traversal vulnerability + * CVE-2016-2337.patch: fix arbitrary code execution in Tcl/Tk API + 2.1.5-2+deb8u4 [Fri, 13 Jul 2018 15:55:10 +0200] Santiago Ruano Rincón <santiagorr@riseup.net>: * Non-maintainer upload by the LTS Team. <http://10.200.17.11/4.2-4/#2965105212185864194>
67f2ff0e fixed yaml OK: piuparts OK: announce_errata OK: patch Verified
<http://errata.software-univention.de/ucs/4.2/500.html>