accept no compromises
Showing 1 - 25 of 453 RSS Feed

Ruby Files

Slackware Security Advisory - ruby Updates
Posted Sep 19, 2017
Authored by Slackware Security Team | Site slackware.com

Slackware Security Advisory - New ruby packages are available for Slackware 14.2 and -current to fix security issues.

tags | advisory, ruby
systems | linux, slackware
advisories | CVE-2017-0898, CVE-2017-0899, CVE-2017-0900, CVE-2017-0901, CVE-2017-0902, CVE-2017-10784, CVE-2017-14033, CVE-2017-14064
MD5 | 47bd1d75998a355fce517007a4e68807
Red Hat Security Advisory 2017-2596-01
Posted Sep 6, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-2596-01 - Groovy is an agile and dynamic language for the Java Virtual Machine, built upon Java with features inspired by languages like Python, Ruby, and Smalltalk. It seamlessly integrates with all existing Java objects and libraries and compiles straight to Java bytecode so you can use it anywhere you can use Java. Security Fix: Multiple object deserialization flaws were discovered in the MethodClosure class in Groovy. A specially crafted serialized object deserialized by an application using the Groovy library could cause the application to execute arbitrary code.

tags | advisory, java, arbitrary, python, ruby
systems | linux, redhat
advisories | CVE-2015-3253, CVE-2016-6814
MD5 | 436115415533ea2a3f8f56bb943da1ee
Red Hat Security Advisory 2017-2486-01
Posted Aug 17, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-2486-01 - Groovy is an agile and dynamic language for the Java Virtual Machine, built upon Java with features inspired by languages like Python, Ruby, and Smalltalk. It seamlessly integrates with all existing Java objects and libraries and compiles straight to Java bytecode so you can use it anywhere you can use Java. Security Fix: It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.

tags | advisory, java, remote, code execution, python, ruby
systems | linux, redhat
advisories | CVE-2016-6814
MD5 | 5b48c38a82a5183a49596ef0d8575696
Red Hat Security Advisory 2017-1758-01
Posted Aug 3, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-1758-01 - Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller framework for web application development. Action Pack implements the controller and the view components.

tags | advisory, remote, web, ruby
systems | linux, redhat
advisories | CVE-2016-7047, CVE-2017-2664, CVE-2017-7497, CVE-2017-7530
MD5 | fe93f01d1cd8e7ef560224b2f2389d9a
Ubuntu Security Notice USN-3365-1
Posted Jul 25, 2017
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 3365-1 - It was discovered that Ruby DL::dlopen incorrectly handled opening libraries. An attacker could possibly use this issue to open libraries with tainted names. This issue only applied to Ubuntu 14.04 LTS. Tony Arcieri, Jeffrey Walton, and Steffan Ullrich discovered that the Ruby OpenSSL extension incorrectly handled hostname wildcard matching. This issue only applied to Ubuntu 14.04 LTS. Christian Hofstaedtler discovered that Ruby Fiddle::Handle incorrectly handled certain crafted strings. An attacker could use this issue to cause a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS. Various other issues were also addressed.

tags | advisory, denial of service, arbitrary, ruby
systems | linux, ubuntu
advisories | CVE-2009-5147, CVE-2015-1855, CVE-2015-7551, CVE-2015-9096, CVE-2016-2337, CVE-2016-2339, CVE-2016-7798
MD5 | a6af5cc73212f069a7f0d48255978f2f
Red Hat Security Advisory 2017-1601-01
Posted Jun 28, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-1601-01 - Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller framework for web application development. Action Pack implements the controller and the view components. rh-ruby23-rubygem-nokogiri provides Nokogiri, which is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents using XPath or CSS3 selectors. rh-ruby23-rubygem-ovirt-engine-sdk4 provides the ruby SDK for the oVirt Engine API.

tags | advisory, web, ruby
systems | linux, redhat
advisories | CVE-2016-4457, CVE-2016-7047, CVE-2017-7497
MD5 | 445fd5cb0824cb408c522dedc70efea6
Red Hat Security Advisory 2017-1367-01
Posted May 31, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-1367-01 - Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller framework for web application development. Action Pack implements the controller and the view components. Security Fix: CloudForms includes a default SSL/TLS certificate for the web server. This certificate is replaced at install time, however if an attacker were able to man-in-the-middle an administrator while installing the new certificate the attacker could get a copy of the private key uploaded allowing for future attacks.

tags | advisory, web, ruby
systems | linux, redhat
advisories | CVE-2016-4457, CVE-2017-2639
MD5 | 2cc36a54f3b8776f87f8d5727094be06
Red Hat Security Advisory 2017-0898-01
Posted Apr 12, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-0898-01 - Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller framework for web application development. Action Pack implements the controller and the view components. Security Fix: A number of unused delete routes are present in CloudForms which can be accessed via GET requests instead of just POST requests. This could allow an attacker to bypass the protect_from_forgery XSRF protection causing the routes to be used. This attack would require additional cross-site scripting or similar attacks in order to execute.

tags | advisory, web, xss, ruby
systems | linux, redhat
advisories | CVE-2017-2653
MD5 | 45af748afc5d4df8b78db2ab572c2521
Github Enterprise Default Session Secret And Deserialization
Posted Mar 27, 2017
Authored by sinn3r, iblue | Site metasploit.com

This Metasploit module exploits two security issues in Github Enterprise, version 2.8.0 - 2.8.6. The first is that the session management uses a hard-coded secret value, which can be abused to sign a serialized malicious Ruby object. The second problem is due to the use of unsafe deserialization, which allows the malicious Ruby object to be loaded, and results in arbitrary remote code execution. This exploit was tested against version 2.8.0.

tags | exploit, remote, arbitrary, code execution, ruby
MD5 | ca3b7f3ca2be9221feac2054c941ad33
Debian Security Advisory 3801-1
Posted Mar 6, 2017
Authored by Debian | Site debian.org

Debian Linux Security Advisory 3801-1 - It was discovered that ruby-zip, a Ruby module for reading and writing zip files, is prone to a directory traversal vulnerability. An attacker can take advantage of this flaw to overwrite arbitrary files during archive extraction via a .. (dot dot) in an extracted filename.

tags | advisory, arbitrary, ruby
systems | linux, debian
advisories | CVE-2017-5946
MD5 | df65cf6647674ff7ccc611174152a741
Red Hat Security Advisory 2017-0320-01
Posted Feb 28, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-0320-01 - Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view controller framework for web application development. Action Pack implements the controller and the view components. This update fixes various bugs and adds several enhancements.

tags | advisory, web, ruby
systems | linux, redhat
advisories | CVE-2017-2632
MD5 | e8ea9adb8555545f03a504ded6d5b6b9
Gentoo Linux Security Advisory 201702-32
Posted Feb 23, 2017
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201702-32 - Ruby Archive::Tar::Minitar is vulnerable to a directory traversal attack. Versions prior to 0.6.1 are affected.

tags | advisory, ruby
systems | linux, gentoo
advisories | CVE-2016-10173
MD5 | 089ece30a4fb0e4bcad317e23b7d11a3
Debian Security Advisory 3778-1
Posted Feb 1, 2017
Authored by Debian | Site debian.org

Debian Linux Security Advisory 3778-1 - Michal Marek discovered that ruby-archive-tar-minitar, a Ruby library that provides the ability to deal with POSIX tar archive files, is prone to a directory traversal vulnerability. An attacker can take advantage of this flaw to overwrite arbitrary files during archive extraction via a .. (dot dot) in an extracted filename.

tags | advisory, arbitrary, ruby
systems | linux, debian, osx
advisories | CVE-2016-10173
MD5 | b910898d8052c81fee3aa14c5a0848f5
Red Hat Security Advisory 2016-2839-01
Posted Nov 30, 2016
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2016-2839-01 - Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller framework for web application development. Action Pack implements the controller and the view components. Security Fix: A code injection flaw was found in the way capacity and utilization imported control files are processed. A remote, authenticated attacker with access to the capacity and utilization feature could use this flaw to execute arbitrary code as the user CFME runs as.

tags | advisory, remote, web, arbitrary, ruby
systems | linux, redhat
advisories | CVE-2016-5402
MD5 | f4dd89e83fa0c97433d21bfaab95f095
Red Hat Security Advisory 2016-2091-01
Posted Oct 20, 2016
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2016-2091-01 - Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller framework for web application development. Action Pack implements the controller and the view components. Security Fix: CloudForms did not properly apply permissions controls to VM IDs passed by users. A remote, authenticated attacker could use this flaw to execute arbitrary VMs on systems managed by CloudForms if they know the ID of the VM.

tags | advisory, remote, web, arbitrary, ruby
systems | linux, redhat
advisories | CVE-2016-7071
MD5 | 5cd5d1459e00d917cc5c29c61f10d67d
Ruby on Rails Dynamic Render File Upload Remote Code Execution
Posted Oct 13, 2016
Site metasploit.com

This Metasploit module exploits a remote code execution vulnerability in the explicit render method when leveraging user parameters. This Metasploit module has been tested across multiple versions of Ruby on Rails. The technique used by this module requires the specified endpoint to be using dynamic render paths. Also, the vulnerable target will need a POST endpoint for the TempFile upload, this can literally be any endpoint. This Metasploit module does not use the log inclusion method of exploitation due to it not being universal enough. Instead, a new code injection technique was found and used whereby an attacker can upload temporary image files against any POST endpoint and use them for the inclusion attack. Finally, you only get one shot at this if you are testing with the builtin rails server, use caution.

tags | exploit, remote, code execution, file upload, ruby
advisories | CVE-2016-0752
MD5 | 330df82eae0981c2ca7cc8777a63a53c
Red Hat Security Advisory 2016-1996-01
Posted Oct 4, 2016
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2016-1996-01 - Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller framework for web application development. Action Pack implements the controller and the view components. An input validation flaw was found in the way CloudForms regular expressions were passed to the expression engine via the JSON API and the web-based UI. A user with the ability to view collections and filter them could use this flaw to execute arbitrary shell commands on the host with the privileges of the CloudForms process.

tags | advisory, web, arbitrary, shell, ruby
systems | linux, redhat
advisories | CVE-2016-7040
MD5 | 0a76737b20bd23fd5da5a8e13dee366d
Metasploit Web UI Static secret_key_base Value
Posted Sep 24, 2016
Authored by joernchen, Justin Steven | Site metasploit.com

This Metasploit module exploits the Web UI for Metasploit Community, Express and Pro where one of a certain set of Weekly Releases have been applied. These Weekly Releases introduced a static secret_key_base value. Knowledge of the static secret_key_base value allows for deserialization of a crafted Ruby Object, achieving code execution. This Metasploit module is based on exploits/multi/http/rails_secret_deserialization.

tags | exploit, web, code execution, ruby
MD5 | 346aa14307013225d55de3662f17f41d
Red Hat Security Advisory 2016-1856-01
Posted Sep 13, 2016
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2016-1856-01 - Ruby on Rails is a model-view-controller framework for web application development. Action View implements the view component. Security Fix: It was discovered that Action View tag helpers did not escape quotes when using strings declared as HTML safe as attribute values. A remote attacker could use this flaw to conduct a cross-site scripting attack.

tags | advisory, remote, web, xss, ruby
systems | linux, redhat
advisories | CVE-2016-6316
MD5 | 40ce1e72c60af8fc7487d1e0ca1f3851
Red Hat Security Advisory 2016-1855-01
Posted Sep 13, 2016
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2016-1855-01 - Ruby on Rails is a model-view-controller framework for web application development. Action View implements the view component, and Active Record implements the model component. Security Fix in rubygem-actionview: It was discovered that Action View tag helpers did not escape quotes when using strings declared as HTML safe as attribute values. A remote attacker could use this flaw to conduct a cross-site scripting attack.

tags | advisory, remote, web, xss, ruby
systems | linux, redhat
advisories | CVE-2016-6316, CVE-2016-6317
MD5 | 40af75057d70a5e460f3583e95deddf5
Red Hat Security Advisory 2016-1857-01
Posted Sep 13, 2016
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2016-1857-01 - Ruby on Rails is a model-view-controller framework for web application development. Action Pack implements the controller and the view components. Security Fix: It was discovered that Action View tag helpers did not escape quotes when using strings declared as HTML safe as attribute values. A remote attacker could use this flaw to conduct a cross-site scripting attack.

tags | advisory, remote, web, xss, ruby
systems | linux, redhat
advisories | CVE-2016-6316
MD5 | b2f11a1ca8fc16b93f03da181e048780
Red Hat Security Advisory 2016-1858-01
Posted Sep 13, 2016
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2016-1858-01 - Ruby on Rails is a model-view-controller framework for web application development. Action Pack implements the controller and the view components. Security Fix: It was discovered that Action View tag helpers did not escape quotes when using strings declared as HTML safe as attribute values. A remote attacker could use this flaw to conduct a cross-site scripting attack.

tags | advisory, remote, web, xss, ruby
systems | linux, redhat
advisories | CVE-2016-6316
MD5 | 5496f33dcf9ad8e9523c64d1adccfbd2
CodeWarrior 0.3
Posted Sep 13, 2016
Authored by coolervoid

CodeWarrior is a manual code and static analysis tool. It has many modules, one for each common language like PHP, ASP, Ruby, C/C++, Java and Javascript. Each module has rules in raw text with parameters like description, type, reference, relevance and match (regex to detect pattern). You can also create your own rules.

tags | tool, php, javascript, asp, ruby
systems | unix
MD5 | 125797229a978f1c58e1d352c00eb34e
Red Hat Security Advisory 2016-1634-02
Posted Aug 21, 2016
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2016-1634-02 - Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller framework for web application development. Action Pack implements the controller and the view components. Security Fix: It was found that the CloudForms web UI did not properly filter input in certain fields. A remote, authenticated attacker could use this flaw to execute arbitrary code on the system running CloudForms.

tags | advisory, remote, web, arbitrary, ruby
systems | linux, redhat
advisories | CVE-2016-5383
MD5 | 6d100c4cfd59a147d4083bcbca4a4097
Keystone 0.9.1
Posted Jul 27, 2016
Authored by Nguyen Anh Quynh | Site keystone-engine.org

Keystone is a lightweight multi-platform, multi-architecture assembler framework. Highlight features include multi-architecture, with support for Arm, Arm64 (AArch64/Armv8), Hexagon, Mips, PowerPC, Sparc, SystemZ, and X86 (include 16/32/64bit). It has a clean and lightweight architecture-neutral API. It's implemented in C/C++ languages, with bindings for Python, NodeJS, Ruby, Go and Rust available and also has native support for Windows and various Unix flavors.

Changes: Various updates.
tags | tool, x86, python, ruby
systems | windows, unix
MD5 | 966e0395a3733f68518a2833e64134c1
Page 1 of 19
Back12345Next

File Archive:

September 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    5 Files
  • 2
    Sep 2nd
    5 Files
  • 3
    Sep 3rd
    3 Files
  • 4
    Sep 4th
    13 Files
  • 5
    Sep 5th
    16 Files
  • 6
    Sep 6th
    15 Files
  • 7
    Sep 7th
    20 Files
  • 8
    Sep 8th
    16 Files
  • 9
    Sep 9th
    4 Files
  • 10
    Sep 10th
    2 Files
  • 11
    Sep 11th
    15 Files
  • 12
    Sep 12th
    19 Files
  • 13
    Sep 13th
    20 Files
  • 14
    Sep 14th
    38 Files
  • 15
    Sep 15th
    31 Files
  • 16
    Sep 16th
    1 Files
  • 17
    Sep 17th
    7 Files
  • 18
    Sep 18th
    15 Files
  • 19
    Sep 19th
    40 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    10 Files
  • 23
    Sep 23rd
    1 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close