[3.7] Ruby 2.2.9, 2.3.6, 2.4.3, 2.5.0 Multiple Vulnerabilities
Ruby has multiple vulnerabilities:
- CVE-2017-17742: HTTP response splitting in WEBrick
- CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir
- CVE-2018-8777: DoS by large request in WEBrick
- CVE-2018-8778: Buffer under-read in String#unpack
- CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket
- CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
- Multiple vulnerabilities in RubyGems
Fixed in ruby 2.5.1, 2.4.4, 2.3.7, 2.2.10
(from redmine: issue id 8747, created on 2018-03-29, closed on 2018-04-03)
- Relations:
- parent #8746 (closed)
- Changesets:
- Revision 8e71f2e5 by Natanael Copa on 2018-03-29T14:19:52Z:
main/ruby: security upgrade to 2.5.1
CVE-2017-17742: HTTP response splitting in WEBrick
CVE-2018-6914: Unintentional file and directory creation with directory
traversal in tempfile and tmpdir
CVE-2018-8777: DoS by large request in WEBrick
CVE-2018-8778: Buffer under-read in String#unpack
CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in
UNIXServer and UNIXSocket
CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in
Dir
ref #8747- Revision 0bba1702 by Natanael Copa on 2018-03-29T14:25:15Z:
main/ruby: security upgrade to 2.4.4
CVE-2017-17742: HTTP response splitting in WEBrick
CVE-2018-6914: Unintentional file and directory creation with directory
traversal in tempfile and tmpdir
CVE-2018-8777: DoS by large request in WEBrick
CVE-2018-8778: Buffer under-read in String#unpack
CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in
UNIXServer and UNIXSocket
CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in
Dir
fixes #8747
To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information