Overview

File _patchinfo of Package patchinfo.15222

<patchinfo incident="15222">
  <issue tracker="bnc" id="1172275">S:M:15222:219148 ruby2.1 update broke yast2 --ncurses</issue>
  <issue tracker="bnc" id="1043983">VUL-0: CVE-2015-9096: ruby,ruby19,ruby2.1: Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLFsequences in a RCPT TO or MAIL FROM command</issue>
  <issue tracker="bnc" id="1048072">[Regression] Updating libruby to libruby2_1-2_1-2.1.9-15.1.x86_64.rpm causes YaST to exit on startup</issue>
  <issue tracker="bnc" id="1055265">VUL-0: CVE-2016-7798: ruby,ruby19,ruby2.1: IV Reuse in GCM Mode</issue>
  <issue tracker="bnc" id="1056286">VUL-0: CVE-2017-0899 CVE-2017-0900 CVE-2017-0901 CVE-2017-0902: rubygems,ruby19,ruby2.1: multiple vulnerabilities fixed in 2.6.13</issue>
  <issue tracker="bnc" id="1056782">VUL-0: CVE-2017-14064: ruby: arbitrary memory exposure during a JSON.generate call</issue>
  <issue tracker="bnc" id="1058754">VUL-0: CVE-2017-10784: ruby19,ruby,ruby2.1: Escape sequence injection vulnerability in the Basic authentication of WEBrick</issue>
  <issue tracker="bnc" id="1058755">VUL-0: CVE-2017-0898: ruby19,ruby,ruby2.1: Buffer underrun vulnerability in Kernel.sprintf</issue>
  <issue tracker="bnc" id="1058757">VUL-0: CVE-2017-14033: ruby19,ruby,ruby2.1: Buffer underrun vulnerability in OpenSSL ASN1 decode</issue>
  <issue tracker="bnc" id="1062452">VUL-0: CVE-2017-0903: rubygems,ruby2.1: Unsafe Object Deserialization Vulnerability</issue>
  <issue tracker="bnc" id="1069607">VUL-0: CVE-2017-9228: ruby19,ruby2.1:  heap out-of-bounds write occurs in bitset_set_range() during regex compilation</issue>
  <issue tracker="bnc" id="1069632">VUL-0:  CVE-2017-9229: ruby19,ruby2.1,ruby,ruby2: oniguruma: Invalid pointer dereference in left_adjust_char_head()</issue>
  <issue tracker="bnc" id="1073002">VUL-0: CVE-2017-17405: ruby19,ruby,ruby2.1: Command injection vulnerability in Net::FTP</issue>
  <issue tracker="bnc" id="1078782">VUL-0: CVE-2017-17790: ruby: Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code execution</issue>
  <issue tracker="bnc" id="1082007">VUL-1: CVE-2018-1000073: ruby,rubygems: Path traversal when writing to a symlinked basedir outside of the root</issue>
  <issue tracker="bnc" id="1082008">VUL-1: CVE-2018-1000074: ruby,rubygems: Unsafe Object Deserialization Vulnerability in gem owner allowing arbitrary code execution on specially crafted YAML</issue>
  <issue tracker="bnc" id="1082009">VUL-1: CVE-2018-1000076: ruby,rubygems: Improper verification of signatures in tarball allows to install mis-signed gem</issue>
  <issue tracker="bnc" id="1082010">VUL-1: CVE-2018-1000077: ruby,rubygems: Missing URL validation on spec home attribute allows malicious gem to set an invalid homepage URL</issue>
  <issue tracker="bnc" id="1082011">VUL-0: CVE-2018-1000078: ruby,rubygems: XSS vulnerability in homepage attribute when displayed via gem server</issue>
  <issue tracker="bnc" id="1082014">VUL-1: CVE-2018-1000075: ruby,rubygems: Infinite loop vulnerability due to negative size in tar header causes Denial of Service</issue>
  <issue tracker="bnc" id="1082058">VUL-0: CVE-2018-1000079: ruby2.1: Path traversal issue during gem installation allows to write to arbitrary filesystem locations</issue>
  <issue tracker="bnc" id="1087433">VUL-1: CVE-2018-8778: ruby19,ruby,ruby2.1:  Buffer under-read in String#unpack</issue>
  <issue tracker="bnc" id="1087434">VUL-1: CVE-2017-17742: ruby19,ruby,ruby2.1:  HTTP response splitting in WEBrick</issue>
  <issue tracker="bnc" id="1087436">VUL-1: CVE-2018-8777: ruby19,ruby,ruby2.1: DoS by large request in WEBrick</issue>
  <issue tracker="bnc" id="1087437">VUL-1: CVE-2018-8780: ruby19,ruby,ruby2.1: Unintentional directory traversal by poisoned NUL byte in Dir</issue>
  <issue tracker="bnc" id="1087440">VUL-1: CVE-2018-8779: ruby19,ruby,ruby2.1: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket</issue>
  <issue tracker="bnc" id="1087441">VUL-1: CVE-2018-6914: ruby19,ruby,ruby2.1: Unintentional file and directory creation with directory traversal in tempfile and tmpdir</issue>
  <issue tracker="bnc" id="1112530">VUL-0: CVE-2018-16395: ruby19,ruby,ruby2.1: OpenSSL::X509::Name equality check does not work correctly</issue>
  <issue tracker="bnc" id="1112532">VUL-0: CVE-2018-16396: ruby,ruby2.1: Tainted flags are not propagated in Array#pack and String#unpack with some directives</issue>
  <issue tracker="bnc" id="1130611">VUL-0: CVE-2019-8325: rubygems,ruby,ruby2.1: rubygems: Escape sequence injection vulnerability in errors</issue>
  <issue tracker="bnc" id="1130617">VUL-0: CVE-2019-8324: rubygems,ruby2.1: rubygems: Installing a malicious gem may lead to arbitrary code execution</issue>
  <issue tracker="bnc" id="1130620">VUL-0: CVE-2019-8323: rubygems,ruby19,ruby2.1: rubygems: Escape sequence injection vulnerability in API response handling</issue>
  <issue tracker="bnc" id="1130622">VUL-0: CVE-2019-8322: rubygems,ruby19,ruby2.1: rubygems: Escape sequence injection vulnerability in gem owner</issue>
  <issue tracker="bnc" id="1130623">VUL-0: CVE-2019-8321: rubygems,ruby19,ruby2.1: rubygems: Escape sequence injection vulnerability in verbose</issue>
  <issue tracker="bnc" id="1130627">VUL-0: CVE-2019-8320: rubygems,ruby19,ruby2.1: rubygems: Delete directory using symlink when decompressing tar</issue>
  <issue tracker="bnc" id="1152990">VUL-0: CVE-2019-16255: ruby2.5,ruby,ruby2.1: code injection vulnerability of Shell#[] and Shell#test</issue>
  <issue tracker="bnc" id="1152992">VUL-0: CVE-2019-16254: ruby2.5,ruby,ruby2.1: HTTP response splitting in WEBrick (Additional fix)</issue>
  <issue tracker="bnc" id="1152994">VUL-0: CVE-2019-15845: ruby2.5,ruby,ruby2.1: A NUL injection vulnerability of File.fnmatch and File.fnmatch?</issue>
  <issue tracker="bnc" id="1152995">VUL-0: CVE-2019-16201: ruby2.5,ruby,ruby2.1: Regular Expression Denial of Service vulnerability of WEBrick's Digest access authentication</issue>
  <issue tracker="bnc" id="1171517">VUL-1: CVE-2020-10663: ruby2.1,ruby2.5: Unsafe Object Creation Vulnerability in JSON</issue>
  <issue tracker="cve" id="2015-9096"/>
  <issue tracker="cve" id="2016-2339"/>
  <issue tracker="cve" id="2016-7798"/>
  <issue tracker="cve" id="2017-0898"/>
  <issue tracker="cve" id="2017-0899"/>
  <issue tracker="cve" id="2017-0900"/>
  <issue tracker="cve" id="2017-0901"/>
  <issue tracker="cve" id="2017-0902"/>
  <issue tracker="cve" id="2017-0903"/>
  <issue tracker="cve" id="2017-9228"/>
  <issue tracker="cve" id="2017-9229"/>
  <issue tracker="cve" id="2017-10784"/>
  <issue tracker="cve" id="2017-14033"/>
  <issue tracker="cve" id="2017-14064"/>
  <issue tracker="cve" id="2017-17405"/>
  <issue tracker="cve" id="2017-17742"/>
  <issue tracker="cve" id="2017-17790"/>
  <issue tracker="cve" id="2018-6914"/>
  <issue tracker="cve" id="2018-8777"/>
  <issue tracker="cve" id="2018-8778"/>
  <issue tracker="cve" id="2018-8779"/>
  <issue tracker="cve" id="2018-8780"/>
  <issue tracker="cve" id="2018-16395"/>
  <issue tracker="cve" id="2018-16396"/>
  <issue tracker="cve" id="2018-1000073"/>
  <issue tracker="cve" id="2018-1000074"/>
  <issue tracker="cve" id="2018-1000075"/>
  <issue tracker="cve" id="2018-1000076"/>
  <issue tracker="cve" id="2018-1000077"/>
  <issue tracker="cve" id="2018-1000078"/>
  <issue tracker="cve" id="2018-1000079"/>
  <issue tracker="cve" id="2019-8320"/>
  <issue tracker="cve" id="2019-8321"/>
  <issue tracker="cve" id="2019-8322"/>
  <issue tracker="cve" id="2019-8323"/>
  <issue tracker="cve" id="2019-8324"/>
  <issue tracker="cve" id="2019-8325"/>
  <issue tracker="cve" id="2019-15845"/>
  <issue tracker="cve" id="2019-16201"/>
  <issue tracker="cve" id="2019-16254"/>
  <issue tracker="cve" id="2019-16255"/>
  <issue tracker="cve" id="2020-10663"/>
  <packager>darix</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for ruby2.1</summary>
  <description>This update for ruby2.1 fixes the following issues:

Security issues fixed:

- CVE-2015-9096: Fixed an SMTP command injection via CRLFsequences in a RCPT TO or MAIL FROM command (bsc#1043983).
- CVE-2016-7798: Fixed an IV Reuse in GCM Mode (bsc#1055265).
- CVE-2017-0898: Fixed a buffer underrun vulnerability in Kernel.sprintf (bsc#1058755).
- CVE-2017-0899: Fixed an issue with malicious gem specifications, insufficient sanitation when printing gem specifications could have included terminal characters (bsc#1056286).
- CVE-2017-0900: Fixed an issue with malicious gem specifications, the query command could have led to a denial of service attack against clients (bsc#1056286).
- CVE-2017-0901: Fixed an issue with malicious gem specifications, potentially overwriting arbitrary files on the client system (bsc#1056286).
- CVE-2017-0902: Fixed an issue with malicious gem specifications, that could have enabled MITM attacks against clients (bsc#1056286).
- CVE-2017-0903: Fixed an unsafe object deserialization vulnerability (bsc#1062452).
- CVE-2017-9228: Fixed a heap out-of-bounds write in bitset_set_range() during regex compilation (bsc#1069607).
- CVE-2017-9229: Fixed an invalid pointer dereference in left_adjust_char_head() in oniguruma (bsc#1069632).
- CVE-2017-10784: Fixed an escape sequence injection vulnerability in the Basic authentication of WEBrick (bsc#1058754).
- CVE-2017-14033: Fixed a buffer underrun vulnerability in OpenSSL ASN1 decode (bsc#1058757).
- CVE-2017-14064: Fixed an arbitrary memory exposure during a JSON.generate call (bsc#1056782).
- CVE-2017-17405: Fixed a command injection vulnerability in Net::FTP (bsc#1073002).
- CVE-2017-17742: Fixed an HTTP response splitting issue in WEBrick (bsc#1087434).
- CVE-2017-17790: Fixed a command injection in lib/resolv.rb:lazy_initialize() (bsc#1078782).
- CVE-2018-6914: Fixed an unintentional file and directory creation with directory traversal in tempfile and tmpdir (bsc#1087441).
- CVE-2018-8777: Fixed a potential DoS caused by large requests in WEBrick (bsc#1087436).
- CVE-2018-8778: Fixed a buffer under-read in String#unpack (bsc#1087433).
- CVE-2018-8779: Fixed an unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket (bsc#1087440).
- CVE-2018-8780: Fixed an unintentional directory traversal by poisoned NUL byte in Dir (bsc#1087437).
- CVE-2018-16395: Fixed an issue with OpenSSL::X509::Name equality checking (bsc#1112530).
- CVE-2018-16396: Fixed an issue with tainted string handling, where the flag was not propagated in Array#pack and String#unpack with some directives (bsc#1112532).
- CVE-2018-1000073: Fixed a path traversal issue (bsc#1082007).
- CVE-2018-1000074: Fixed an unsafe object deserialization vulnerability in gem owner, allowing arbitrary code execution with specially crafted YAML (bsc#1082008).
- CVE-2018-1000075: Fixed an infinite loop vulnerability due to negative size in tar header causes Denial of Service (bsc#1082014).
- CVE-2018-1000076: Fixed an improper verification of signatures in tarballs (bsc#1082009).
- CVE-2018-1000077: Fixed an improper URL validation in the homepage attribute of ruby gems (bsc#1082010).
- CVE-2018-1000078: Fixed a XSS vulnerability in the homepage attribute when displayed via gem server (bsc#1082011).
- CVE-2018-1000079: Fixed a path traversal issue during gem installation allows to write to arbitrary filesystem locations (bsc#1082058).
- CVE-2019-8320: Fixed a directory traversal issue when decompressing tar files (bsc#1130627).
- CVE-2019-8321: Fixed an escape sequence injection vulnerability in verbose (bsc#1130623).
- CVE-2019-8322: Fixed an escape sequence injection vulnerability in gem owner (bsc#1130622).
- CVE-2019-8323: Fixed an escape sequence injection vulnerability in API response handling (bsc#1130620).
- CVE-2019-8324: Fixed an issue with malicious gems that may have led to arbitrary code execution (bsc#1130617).
- CVE-2019-8325: Fixed an escape sequence injection vulnerability in errors (bsc#1130611).
- CVE-2019-15845: Fixed a NUL injection vulnerability in File.fnmatch and File.fnmatch? (bsc#1152994).
- CVE-2019-16201: Fixed a regular expression denial of service vulnerability in WEBrick's digest access authentication (bsc#1152995).
- CVE-2019-16254: Fixed an HTTP response splitting vulnerability in WEBrick (bsc#1152992).
- CVE-2019-16255: Fixed a code injection vulnerability in Shell#[] and Shell#test (bsc#1152990).
- CVE-2020-10663: Fixed an unsafe object creation vulnerability in JSON (bsc#1171517).

Non-security issue fixed:

- Add conflicts to libruby to make sure ruby and ruby-stdlib are also updated when libruby is updated (bsc#1048072).

Also yast2-ruby-bindings on SLES 12 SP2 LTSS was updated to handle the updated ruby interpreter. (bsc#1172275)
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places