Headline
Debian Security Advisory 5677-1
Debian Linux Security Advisory 5677-1 - Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may result in information disclosure, denial of service or the execution of arbitrary code.
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5677-1 [email protected]://www.debian.org/security/ Moritz MuehlenhoffMay 03, 2024 https://www.debian.org/security/faq- -------------------------------------------------------------------------Package : ruby3.1CVE ID : CVE-2024-27280 CVE-2024-27281 CVE-2024-27282Several vulnerabilities have been discovered in the interpreter forthe Ruby language, which may result in information disclosure, denialof service or the execution of arbitrary code.For the stable distribution (bookworm), these problems have been fixed inversion 3.1.2-7+deb12u1.We recommend that you upgrade your ruby3.1 packages.For the detailed security status of ruby3.1 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/ruby3.1Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: [email protected] PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmY1PxYACgkQEMKTtsN8TjZftBAAoJ8Fvgz0vhJl8HNpozdLc7nyThu/dZ8QCcSLgCt1xJQYModeC+1PnQdswTnEXDjWKTVB4N+xot663SmdnKptCgqqI9zb7ZLZQodo9euZAOyT/cXmaa7+/QPgkULr3rGco8xh2yirKLhoEwpOvVQ7dKePc66Pnj1ni9mnMRCYPRjfXrBsPHkt+KiH2MAHdeP5Na5rWzlXvKS7W5hRU8siovSnqg5Apc8Zx1MKuOI2ni7dm0i9s9DeWsNTJ54Y5Q+6QxqpajzmowL3dQNHJHebyzRbBWhqOhmQojVkyIY2s0WOOHXRD6gS+wwEMJGVnluBTAuUHn8JMXHX5A2I5d8vhDkUq1QZZxSjNbNqU/FXKuyfAGKQNvtedesu10nfq5StWPoV24aKBp+bMuopO6jVExXNvAmPHTpXC59a2N3WBmUuXOas4tJHBTfJ6XgP6JX8hom24/LUjrS1xOlfCt5BEKoU6FICVv3Vx3Uc8yeBD2/bSxaY/qbotnN7EgdZ6MhzAga2OxMzSqJJ7iUZLBg3C2A1AdoQRYfp8i9NFu8vvd3Ra3pjn38ELJUaxQAvpFw6xhuYsY4HyIcHqQ3SnrFRH3DrEHjncD2L9iRZktpKpRJJ5os/Fs1Wd4gJwfGic7yfmKOyDQYRPrZgWyyezwHsWy1YeffVXATlBJHvvuXiuFY=+u3s-----END PGP SIGNATURE-----Related news
An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing `.rdoc_options` (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache. We recommend to update the RDoc gem to version 6.6.3.1 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead: * For Ruby 3.0 users: Update to `rdoc` 6.3.4.1 * For Ruby 3.1 users: Update to `rdoc` 6.4.1.1 * For Ruby 3.2 users: Update to `rdoc` 6.5.1.1 You can use `gem update rdoc` to update it. If you are using bundler, please add `gem "rdoc", ">= 6.6.3.1"` to your `Gemfile`. Note: 6.3.4, 6.4.1, 6.5.1 and 6.6.3 have a incorrect fix. We recommend to upgrade 6.3.4.1, 6.4.1.1, ...
An issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The `ungetbyte` and `ungetc` methods on a StringIO can read past the end of a string, and a subsequent call to `StringIO.gets` may return the memory value. This vulnerability is not affected StringIO 3.0.3 and later, and Ruby 3.2.x and later. We recommend to update the StringIO gem to version 3.0.3 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead: * For Ruby 3.0 users: Update to `stringio` 3.0.1.1 * For Ruby 3.1 users: Update to `stringio` 3.1.0.2 You can use `gem update stringio` to update it. If you are using bundler, please add `gem "stringio", ">= 3.0.1.2"` to your `Gemfile`.