========================================================================== Ubuntu Security Notice USN-3553-1 January 31, 2018 ruby2.3 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 17.10 - Ubuntu 16.04 LTS Summary: Several security issues were fixed in Ruby. Software Description: - ruby2.3: Interpreter of object-oriented scripting language Ruby Details: It was discovered that Ruby failed to validate specification names. An attacker could possibly use a maliciously crafted gem to potentially overwrite any file on the filesystem. (CVE-2017-0901) It was discovered that Ruby was vulnerable to a DNS hijacking vulnerability. An attacker could use this to possibly force the RubyGems client to download and install gems from a server that the attacker controls. (CVE-2017-0902) It was discovered that Ruby incorrectly handled certain YAML files. An attacker could use this to possibly execute arbitrary code. (CVE-2017-0903) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 17.10: libruby2.3 2.3.3-1ubuntu1.3 ruby2.3 2.3.3-1ubuntu1.3 Ubuntu 16.04 LTS: libruby2.3 2.3.1-2~16.04.6 ruby2.3 2.3.1-2~16.04.6 In general, a standard system update will make all the necessary changes. References: https://www.ubuntu.com/usn/usn-3553-1 CVE-2017-0901, CVE-2017-0902, CVE-2017-0903 Package Information: https://launchpad.net/ubuntu/+source/ruby2.3/2.3.3-1ubuntu1.3 https://launchpad.net/ubuntu/+source/ruby2.3/2.3.1-2~16.04.6