USN-3365-1

Description

ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities It was discovered that Ruby DL::dlopen incorrectly handled opening libraries. An attacker could possibly use this issue to open libraries with tainted names. This issue only applied to Ubuntu 14.04 LTS. (CVE-2009-5147) Tony Arcieri, Jeffrey Walton, and Steffan Ullrich discovered that the Ruby OpenSSL extension incorrectly handled hostname wildcard matching. This issue only applied to Ubuntu 14.04 LTS. (CVE-2015-1855) Christian Hofstaedtler discovered that Ruby Fiddle::Handle incorrectly handled certain crafted strings. An attacker could use this issue to cause a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS. (CVE-2015-7551) It was discovered that Ruby Net::SMTP incorrectly handled CRLF sequences. A remote attacker could possibly use this issue to inject SMTP commands. (CVE-2015-9096) Marcin Noga discovered that Ruby incorrectly handled certain arguments in a TclTkIp class method. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2016-2337) It was discovered that Ruby Fiddle::Function.new incorrectly handled certain arguments. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2016-2339) It was discovered that Ruby incorrectly handled the initialization vector (IV) in GCM mode. An attacker could possibly use this issue to bypass encryption. (CVE-2016-7798)

Affected Systems

• ubuntu•ruby1.9.1

  < 1.9.3.484-2ubuntu1.3

• ubuntu•ruby2.0

  < 2.0.0.484-1ubuntu2.4

• ubuntu•ruby2.3

  < 2.3.1-2~16.04.2

References (8)

• https://ubuntu.com/security/notices/USN-3365-1
• https://ubuntu.com/security/CVE-2009-5147
• https://ubuntu.com/security/CVE-2015-1855
• https://ubuntu.com/security/CVE-2015-7551
• https://ubuntu.com/security/CVE-2015-9096
• https://ubuntu.com/security/CVE-2016-2337
• https://ubuntu.com/security/CVE-2016-2339
• https://ubuntu.com/security/CVE-2016-7798