Ubuntu Security Notice 3365-1 - It was discovered that Ruby DL::dlopen incorrectly handled opening libraries. An attacker could possibly use this issue to open libraries with tainted names. This issue only applied to Ubuntu 14.04 LTS. Tony Arcieri, Jeffrey Walton, and Steffan Ullrich discovered that the Ruby OpenSSL extension incorrectly handled hostname wildcard matching. This issue only applied to Ubuntu 14.04 LTS. Christian Hofstaedtler discovered that Ruby Fiddle::Handle incorrectly handled certain crafted strings. An attacker could use this issue to cause a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS. Various other issues were also addressed.
d9c893a22d5c169a8dba5385ae2f48c95bb57c3652df1066df59f1b32a5c6be2
===========================================================================
Ubuntu Security Notice USN-3365-1
July 25, 2017
ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities
===========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.04
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in Ruby.
Software Description:
- ruby2.3: Object-oriented scripting language
- ruby1.9.1: Object-oriented scripting language
- ruby2.0: Object-oriented scripting language
Details:
It was discovered that Ruby DL::dlopen incorrectly handled opening
libraries. An attacker could possibly use this issue to open libraries with
tainted names. This issue only applied to Ubuntu 14.04 LTS. (CVE-2009-5147)
Tony Arcieri, Jeffrey Walton, and Steffan Ullrich discovered that the Ruby
OpenSSL extension incorrectly handled hostname wildcard matching. This
issue only applied to Ubuntu 14.04 LTS. (CVE-2015-1855)
Christian Hofstaedtler discovered that Ruby Fiddle::Handle incorrectly
handled certain crafted strings. An attacker could use this issue to cause
a denial of service, or possibly execute arbitrary code. This issue only
applied to Ubuntu 14.04 LTS. (CVE-2015-7551)
It was discovered that Ruby Net::SMTP incorrectly handled CRLF sequences. A
remote attacker could possibly use this issue to inject SMTP commands.
(CVE-2015-9096)
Marcin Noga discovered that Ruby incorrectly handled certain arguments in
a TclTkIp class method. An attacker could possibly use this issue to
execute arbitrary code. This issue only affected Ubuntu 14.04 LTS.
(CVE-2016-2337)
It was discovered that Ruby Fiddle::Function.new incorrectly handled
certain arguments. An attacker could possibly use this issue to execute
arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2016-2339)
It was discovered that Ruby incorrectly handled the initialization vector
(IV) in GCM mode. An attacker could possibly use this issue to bypass
encryption. (CVE-2016-7798)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.04:
libruby2.3 2.3.3-1ubuntu0.1
ruby2.3 2.3.3-1ubuntu0.1
Ubuntu 16.04 LTS:
libruby2.3 2.3.1-2~16.04.2
ruby2.3 2.3.1-2~16.04.2
Ubuntu 14.04 LTS:
libruby1.9.1 1.9.3.484-2ubuntu1.3
libruby2.0 2.0.0.484-1ubuntu2.4
ruby1.9.1 1.9.3.484-2ubuntu1.3
ruby2.0 2.0.0.484-1ubuntu2.4
In general, a standard system update will make all the necessary changes.
References:
https://www.ubuntu.com/usn/usn-3365-1
CVE-2009-5147, CVE-2015-1855, CVE-2015-7551, CVE-2015-9096,
CVE-2016-2337, CVE-2016-2339, CVE-2016-7798
Package Information:
https://launchpad.net/ubuntu/+source/ruby2.3/2.3.3-1ubuntu0.1
https://launchpad.net/ubuntu/+source/ruby2.3/2.3.1-2~16.04.2
https://launchpad.net/ubuntu/+source/ruby1.9.1/1.9.3.484-2ubuntu1.3
https://launchpad.net/ubuntu/+source/ruby2.0/2.0.0.484-1ubuntu2.4
--Ne5oXbEjQjrOEbUtAsklbRkXL9up36AbS--