-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 13 Jul 2018 15:55:10 +0200 Source: ruby2.1 Binary: ruby2.1 libruby2.1 ruby2.1-dev ruby2.1-doc ruby2.1-tcltk Architecture: source amd64 all Version: 2.1.5-2+deb8u4 Distribution: jessie-security Urgency: medium Maintainer: Antonio Terceiro <terceiro@debian.org> Changed-By: Santiago Ruano Rincón <santiagorr@riseup.net> Description: libruby2.1 - Libraries necessary to run Ruby 2.1 ruby2.1 - Interpreter of object-oriented scripting language Ruby ruby2.1-dev - Header files for compiling extension modules for the Ruby 2.1 ruby2.1-doc - Documentation for Ruby 2.1 ruby2.1-tcltk - Ruby/Tk for Ruby 2.1 Closes: 851161 Changes: ruby2.1 (2.1.5-2+deb8u4) jessie-security; urgency=medium . * Non-maintainer upload by the LTS Team. * Fix multiple security issues: * CVE-2015-9096: SMTP command injection via CRLF sequences * CVE-2016-2339: Exploitable heap overflow in Fiddle::Function.new (Closes: #851161) * CVE-2016-7798: Fix IV Reuse in GCM Mode. Patch by Kazuki Yamaguchi <k@rhe.jp> * CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf * CVE-2017-10784: lib/webrick/log.rb: sanitize any type of logs * CVE-2017-14033: asn1: fix out-of-bounds read in decoding constructed objects * CVE-2017-14064: Heap exposure vulnerability in generating JSON * CVE-2017-0903: Whitelist classes and symbols that are in Gem spec YAML * Fix multiple vulnerabilities in rubygems: - a DNS request hijacking vulnerability. (CVE-2017-0902) - an ANSI escape sequence vulnerability. (CVE-2017-0899) - a DoS vulnerability in the query command. (CVE-2017-0900) - a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files. (CVE-2017-0901) * CVE-2017-17405: Command injection in Net::FTP * CVE-2017-17790: Command injection in Hosts:new() by use of Kernel#open * CVE-2018-1000075: Strictly interpret octal fields in tar headers to avoid infinite loop * CVE-2018-1000076: Raise a security error when there are duplicate files in a package * CVE-2018-1000077: Enforce URL validation on spec homepage attribute. * CVE-2018-1000078: Mitigate XSS vulnerability in homepage attribute when displayed via gem server. * CVE-2018-1000079: Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations. * CVE-2018-8778: Buffer under-read in String#unpack * CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir * CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir * CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket * CVE-2018-8777: DoS by large request in WEBrick * CVE-2017-17742: HTTP response splitting in WEBrick Checksums-Sha1: 490db54ac805cf66161a58d9e9df6366633a202a 2451 ruby2.1_2.1.5-2+deb8u4.dsc bf1b9ba5cb3dd61657fa5d754a462d0b3dae1597 118676 ruby2.1_2.1.5-2+deb8u4.debian.tar.xz 6a4689260fcf7ac9ce2ea767738ae8746dc7d80e 277320 ruby2.1_2.1.5-2+deb8u4_amd64.deb 1cbf470ab7bc1732d82d2f1eaae86f3b4909c7ae 3287344 libruby2.1_2.1.5-2+deb8u4_amd64.deb 0766e10c21d6c9f7c6660567fdc965541d85ee06 1101170 ruby2.1-dev_2.1.5-2+deb8u4_amd64.deb 40674885932c2b6acf1984537f43be01e15df228 3381784 ruby2.1-doc_2.1.5-2+deb8u4_all.deb 323826dca8fa51a7838d6e0bffd6374db173c181 477868 ruby2.1-tcltk_2.1.5-2+deb8u4_amd64.deb Checksums-Sha256: 2dad2d8aa5c691d4675c41215028c60d27526c0b31ecdd487e36ac96669b338f 2451 ruby2.1_2.1.5-2+deb8u4.dsc 48452bb74d6b82d9cb4e704cc14d40abb90839de9c81b71ffbd02bf609b0a2d2 118676 ruby2.1_2.1.5-2+deb8u4.debian.tar.xz 2b0073ae5bb4d51cb4073050f044ff497b0f68373de6fb6e2b4baa50b6c31eb5 277320 ruby2.1_2.1.5-2+deb8u4_amd64.deb a76452119876e34371e5bde9582349226931e9a1f8c8e6ee6bbd98585d119428 3287344 libruby2.1_2.1.5-2+deb8u4_amd64.deb 56c6784a5d1cc3ce9ccb23a578e06b0c9aba57828da391acb74b2e60e014156a 1101170 ruby2.1-dev_2.1.5-2+deb8u4_amd64.deb 62a5f7f59e84bc6677c995ffcc2c32ee1577af459de2561845c3c0e053c328f4 3381784 ruby2.1-doc_2.1.5-2+deb8u4_all.deb 82e15ed044e3e1997513a2fb1d08684f137d3d8333a38a8ae528b0750aed2300 477868 ruby2.1-tcltk_2.1.5-2+deb8u4_amd64.deb Files: 70451c2d2802f0daf2c6eaf6d9e6db36 2451 ruby extra ruby2.1_2.1.5-2+deb8u4.dsc d2ddb65a492dddbe57b2d77acb7bb4c5 118676 ruby extra ruby2.1_2.1.5-2+deb8u4.debian.tar.xz acb436ee7477ed62bd0857ed959fa38d 277320 ruby extra ruby2.1_2.1.5-2+deb8u4_amd64.deb de22d4cbd55738c38ee1c13bb5e97947 3287344 libs extra libruby2.1_2.1.5-2+deb8u4_amd64.deb 6d48dd55fd3e10cefb702a085d3d7946 1101170 ruby extra ruby2.1-dev_2.1.5-2+deb8u4_amd64.deb b10541bfd297e544d497313a8d8e38e2 3381784 doc extra ruby2.1-doc_2.1.5-2+deb8u4_all.deb 41771a7e4222e15b14bdbc425f16527e 477868 ruby extra ruby2.1-tcltk_2.1.5-2+deb8u4_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwUqnBPVvaa0NAVzHFX/a4RXx4q0FAltIyL0ACgkQFX/a4RXx 4q20/w//RQFaH22WOnkuFp0WQ1rSpR/bxGJSrcXWoW8ybCIGdEFaUktxQXrflb1o ac8PSlmKhtsDVgD5HSnUZiqgcpFeEyLOj10COpeOFS0pLWv3HRRd5idy0ZzTSNE0 sWFZe7hoVT1X+4iDpki23QYM8HXd3vLyAeebgGyAmNtK43uNGWEhYfYCZKKsYStR yVHyivfByDPL8AcJzRNBzxKk3iuyPFxDQ3OwhevE2CwE1EqP7+Ic2bboiYiUa7mN bW2uPFBUWMf/jyZWd5OqeA+t/7LJkcOV5IJmNv4MjICPRkyePBHWkSsjWzKEt8ZE C0rAwvvK2y5IIkFVdFGgoyUWGf+oiPOAll/rUxqmIdxvloFFeAZbmAbbDooQLkf/ b7x3ZUuaBXy+wJh40vNPtAISva/5hcI9WoyTJt57UTSrVObZokRePH02481qwVUG ARmK7eyTs70OlaiKTVxTP3F/X1MUE0ceytc9sBxEG9D9IYG8sP0JZ6ZPU6i6Cn7s lzN+I+CG+s/X6hUecxfWLG+vv/v2f7x+GY5obw5GQJ+R5zCqtJFBZkpqQ9dBEKfe 4duuyG94MfXiiGbBA9U33lBnBTEtu8cQFSAQlEZJMFhK+JTJNoGeghhiEvdnzYPT o3vAuhGjjPA3wRzhUxMvFD7SVtEWN5Eg2GsGDbjhqNBH1i54AWc= =QoJe -----END PGP SIGNATURE-----