-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 19 Jul 2018 13:28:10 +0200 Source: ruby2.3 Binary: ruby2.3 libruby2.3 ruby2.3-dev ruby2.3-doc ruby2.3-tcltk Architecture: source Version: 2.3.3-1+deb9u3 Distribution: stretch-security Urgency: medium Maintainer: Antonio Terceiro <terceiro@debian.org> Changed-By: Santiago R.R. <santiagorr@riseup.net> Description: libruby2.3 - Libraries necessary to run Ruby 2.3 ruby2.3 - Interpreter of object-oriented scripting language Ruby ruby2.3-dev - Header files for compiling extension modules for the Ruby 2.3 ruby2.3-doc - Documentation for Ruby 2.3 ruby2.3-tcltk - Ruby/Tk for Ruby 2.3 Closes: 889117 898694 Changes: ruby2.3 (2.3.3-1+deb9u3) stretch-security; urgency=medium . [ Santiago R.R. ] * Fix Command injection vulnerability in Net::FTP. [CVE-2017-17405] * webrick: use IO.copy_stream for multipart response. Required changes in WEBrick to fix CVE-2017-17742 and CVE-2018-8777 * Fix HTTP response splitting in WEBrick. [CVE-2017-17742] * Fix Command Injection in Hosts::new() by use of Kernel#open. [CVE-2017-17790] * Fix Unintentional directory traversal by poisoned NUL byte in Dir [CVE-2018-8780] * Fix multiple vulnerabilities in RubyGems. CVE-2018-1000073: Prevent Path Traversal issue during gem installation. CVE-2018-1000074: Fix possible Unsafe Object Deserialization Vulnerability in gem owner. CVE-2018-1000075: Strictly interpret octal fields in tar headers. CVE-2018-1000076: Raise a security error when there are duplicate files in a package. CVE-2018-1000077: Enforce URL validation on spec homepage attribute. CVE-2018-1000078: Mitigate XSS vulnerability in homepage attribute when displayed via gem server. CVE-2018-1000079: Prevent path traversal when writing to a symlinked basedir outside of the root. * Fix directory traversal vulnerability in the Dir.mktmpdir method in the tmpdir library [CVE-2018-6914] * Fix Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket [CVE-2018-8779] * Fix Buffer under-read in String#unpack [CVE-2018-8778] * Fix tests to cope with updates in tzdata (Closes: #889117) * Exclude Rinda TestRingFinger and TestRingServer test units requiring network access (Closes: #898694) . [ Antonio Terceiro ] * debian/tests/excludes/any/TestTimeTZ.rb: ignore tests failing due to assumptions that don't hold on newer tzdata update. Upstream bug: https://bugs.ruby-lang.org/issues/14655 Checksums-Sha1: 5afa01b2458ca3ae446afafc81199d74e4d7bede 2503 ruby2.3_2.3.3-1+deb9u3.dsc b178b5349ce51fdc6d64f8f09a2e5c8666afbf69 115108 ruby2.3_2.3.3-1+deb9u3.debian.tar.xz 07c8c87633399d1206a19f7ab886f7daffe7f216 10673 ruby2.3_2.3.3-1+deb9u3_amd64.buildinfo Checksums-Sha256: bb63c143540a31a71a1982219266580434c35e4f09ff5db3bb1cced5cf611e0d 2503 ruby2.3_2.3.3-1+deb9u3.dsc 076c1973276eb48d0adb655e595dfcce62d0273ebc3beaa2ef6815c862fd2aab 115108 ruby2.3_2.3.3-1+deb9u3.debian.tar.xz 37a7b6f3e106d6d54fe5649a72b23066a3edd4e6f9a5cabae4467a477b5c9f7a 10673 ruby2.3_2.3.3-1+deb9u3_amd64.buildinfo Files: 1d4de9b04ccbcb46357fcdbff8b2b620 2503 ruby optional ruby2.3_2.3.3-1+deb9u3.dsc 21fc61cef0ddad1b284d011f177b2326 115108 ruby optional ruby2.3_2.3.3-1+deb9u3.debian.tar.xz 3a4b287deb5600e5ce35827925d87170 10673 ruby optional ruby2.3_2.3.3-1+deb9u3_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwUqnBPVvaa0NAVzHFX/a4RXx4q0FAltYTTAACgkQFX/a4RXx 4q2owRAAhuXWZ4QoepiexTPQ/I/qNNQRrhS2aL6PexpaHnHJHzAsx8b/Fox8QTYN 5W+tIKnW7oYqWEUikoWy7p8wLto78ltCB1iaQWiXyrS79YWj6xiwl+A0qnadEU3S 4OoYwXwgXxgyTnYGNsLIv/QWF0Hbm3tMmyiv9UzKzbm403foXNheBVbiYT3EgKby ckxWo8fF3oYsphDg6qUXyGfFC0CToPuHI2LmyZe17L0pp/BIk+nYvAPez11uC1Qq zfOtCE8unMEx1H7S1t9kol84Em+M935XdqZ9aEO4/YVEsnPY1NbCHo8joyG9w7LL ScsN7Ts+2MxDDl/9lqT65/E9WfUvt9bWggczl36Edo+oS+zJTxqSUNhgtQRHADG8 VaFpkSbBuoCKqcCUrwGpyNcWT5pbWYNN6q8D01YO1puM8gXm7SIBMGuV/al2TsXv 0r82PXNiSBrqcOzTC8jD0yw8d6w1CW224hrlKyfQubKgZ5NqTwY4Rb9maHnfU+RU 8N78nu+U8ETgPIM74+Hyji7W6PBQYCjTBtCWWA9648PfYTlgGcrQh3gEVlHIASfA B7PTKe2AFMLWfTIQ4D7WjvfVoNCSnfn2wQfbRILGy36z8B8OoGmwBpWeM0gpxOZU nMe1DrjBb7UUdFTAdF6wkcqGXYZa2+Y9Gnm4Vd5jiZm6GPojeME= =OTgZ -----END PGP SIGNATURE-----