Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2017-17742: Ruby 2.5.1 Released

Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. An attacker can inject a crafted key and value into an HTTP response for the HTTP server of WEBrick.

CVE
#vulnerability#web#ruby

Posted by naruse on 28 Mar 2018

Ruby 2.5.1 has been released.

This release includes some bug fixes and some security fixes.

  • CVE-2017-17742: HTTP response splitting in WEBrick
  • CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir
  • CVE-2018-8777: DoS by large request in WEBrick
  • CVE-2018-8778: Buffer under-read in String#unpack
  • CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket
  • CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
  • Multiple vulnerabilities in RubyGems

There are also some bug fixes. See commit logs for more details.

Download

  • https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.1.tar.gz

    SIZE:   15923244 bytes
    SHA1:   93fafd57a724974b951957c522cdc4478a6bdc2e
    SHA256: dac81822325b79c3ba9532b048c2123357d3310b2b40024202f360251d9829b1
    SHA512: 67badcd96fd3808cafd6bc86c970cd83aee7e5ec682f34e7353663d96211a6af314a4c818e537ec8ca51fbc0737aac4e28e0ebacf1a4d1e13db558b623a0f6b1
    
  • https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.1.zip

    SIZE:   19525307 bytes
    SHA1:   4fe511496f1eea0c3c1ac0c5f75ef11168ad1695
    SHA256: 5d8e490896c8353aa574be56ca9aa52c250390e76e36cd23df450c0434ada4d4
    SHA512: 490a52081e740b37f06215740734e9a6598ee9b492995b3161d720b5b05beadb4570aa526b3df01f686881b1e259aa7d4a59c1f398989dc2d5f8250342d986f7
    
  • https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.1.tar.bz2

    SIZE:   14000644 bytes
    SHA1:   251fdb5ac10783b036fe923aa7986be582062361
    SHA256: 0f5d20f012baca865381a055e73f22db814615fee3c68083182cb78a4b3b30cb
    SHA512: 82e799ecf7257a9f5fe8691c50a478b0f91bd4bdca50341c839634b0da5cd76c5556965cb9437264b66438434c94210c949fe9dab88cbc5b3b7fa34b5382659b
    
  • https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.1.tar.xz

    SIZE:   11348108 bytes
    SHA1:   0fb5da56f9e5fca45e36aa24ba842d935d1691c2
    SHA256: 886ac5eed41e3b5fc699be837b0087a6a5a3d10f464087560d2d21b3e71b754d
    SHA512: 31bacf58469953282cd5d8b51862dcf4b84dedb927c1871bc3fca32fc157fe49187631575a70838705fe246f4555647577a7ecc26894445a7d64de5503dc11b4
    

Release Comment

Many committers, developers, and users who provided bug reports helped us to make this release. Thanks for their contributions.

Related news

CVE-2023-28864: Chef Infra Server Release Notes

Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the "chef-server-ctl reconfigure" command.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907