[3.4] Ruby 2.2.9, 2.3.6, 2.4.3, 2.5.0 Multiple Vulnerabilitie
Ruby has multiple vulnerabilities:
- CVE-2017-17742: HTTP response splitting in WEBrick
- CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir
- CVE-2018-8777: DoS by large request in WEBrick
- CVE-2018-8778: Buffer under-read in String#unpack
- CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket
- CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
- Multiple vulnerabilities in RubyGems
Fixed in ruby 2.5.1, 2.4.4, 2.3.7, 2.2.10
(from redmine: issue id 8750, created on 2018-03-29, closed on 2018-04-03)
- Relations:
- parent #8746 (closed)
- Changesets:
- Revision 1779cab8 by Natanael Copa on 2018-03-29T14:32:44Z:
main/ruby: security upgrade to 2.3.7
CVE-2017-17742: HTTP response splitting in WEBrick
CVE-2018-6914: Unintentional file and directory creation with directory
traversal in tempfile and tmpdir
CVE-2018-8777: DoS by large request in WEBrick
CVE-2018-8778: Buffer under-read in String#unpack
CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in
UNIXServer and UNIXSocket
CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in
Dir
fixes #8750