GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Fri Mar 13, 2020 3:26 am Post subject: [ GLSA 202003-06 ] Ruby |
|
|
Gentoo Linux Security Advisory
Title: Ruby: Multiple vulnerabilities (GLSA 202003-06)
Severity: normal
Exploitable: remote
Date: 2020-03-13
Bug(s): #696004
ID: 202003-06
Synopsis
Multiple vulnerabilities have been found in Ruby, the worst of
which could lead to the remote execution of arbitrary code.
Background
Ruby is an interpreted object-oriented programming language. The
elaborate standard library includes an HTTP server (“WEBRick”) and a
class for XML parsing (“REXML”).
Affected Packages
Package: dev-lang/ruby
Vulnerable: < 2.4.9
Vulnerable: < 2.5.7
Unaffected: >= 2.4.9
Unaffected: >= 2.5.7
Architectures: All supported architectures
Description
Multiple vulnerabilities have been discovered in Ruby. Please review the
CVE identifiers referenced below for details.
Impact
A remote attacker could execute arbitrary code, have unauthorized access
by bypassing intended path matching or cause a Denial of Service
condition.
Workaround
There is no known workaround at this time.
Resolution
All Ruby 2.4.x users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/ruby-2.4.9:2.4"
| All Ruby 2.5.x users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/ruby-2.5.7:2.5"
|
References
CVE-2019-15845
CVE-2019-16201
CVE-2019-16254
CVE-2019-16255 |
|