Bugzilla – Bug 1056286
VUL-0: CVE-2017-0899 CVE-2017-0900 CVE-2017-0901 CVE-2017-0902: rubygems,ruby19,ruby2.1: multiple vulnerabilities fixed in 2.6.13
Last modified: 2022-05-02 10:24:55 UTC
http://blog.rubygems.org/2017/08/27/2.6.13-released.html 2.6.13 Released by Samuel Giddins RubyGems 2.6.13 includes security fixes. To update to the latest RubyGems you can run: gem update --system If you need to upgrade or downgrade please follow the how to upgrade/downgrade RubyGems instructions. To install RubyGems by hand see the Download RubyGems page. Security fixes: Fix a DNS request hijacking vulnerability. Discovered by Jonathan Claudius, fix by Samuel Giddins. Fix an ANSI escape sequence vulnerability. Discovered by Yusuke Endoh, fix by Evan Phoenix. Fix a DOS vulernerability in the query command. Discovered by Yusuke Endoh, fix by Samuel Giddins. Fix a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files. Discovered by Yusuke Endoh, fix by Samuel Giddins. As always, please report any security issues discovered in RubyGems to the RubyGems project on HackerOne.
CVE-2017-0899 ANSI escape issue CVE-2017-0900 query command CVE-2017-0901 overwrite any file CVE-2017-0902 DNS issue
CVE-2017-0900: RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command. Upstream patch: https://github.com/rubygems/rubygems/commit/8a38a4fc24c6591e6c8f43d1fadab6efeb4d6251 Bug report: https://hackerone.com/reports/243003
CVE-2017-0902: RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls. Upstream patches: https://github.com/rubygems/rubygems/commit/8d91516fb7037ecfb27622f605dc40245e0f8d32 Bug report: https://hackerone.com/reports/218088
CVE-2017-0901 RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem. Upstream patch: https://github.com/rubygems/rubygems/commit/ad5c0a53a86ca5b218c7976765c0365b91d22cb2 Bug report: https://hackerone.com/reports/243156
CVE-2017-0899 RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences. Upstream patches: https://github.com/rubygems/rubygems/commit/1bcbc7fe637b03145401ec9c094066285934a7f1 https://github.com/rubygems/rubygems/commit/ef0aa611effb5f54d40c7fba6e8235eb43c5a491 Bug report: https://hackerone.com/reports/226335
CVE-2017-0902:ruby2.1 has the _rubygems multicast DNS lookup, older ones do not. CVE-2017-0899: no filtering of text from ANSI escape sequences in ruby2.1 and older even. CVE-2017-0901: also likely all affected. CVE-2017-0900: lots of data denial of service... likely all.
This is an autogenerated message for OBS integration: This bug (1056286) was mentioned in https://build.opensuse.org/request/show/540224 Factory / ruby2.4
This is an autogenerated message for OBS integration: This bug (1056286) was mentioned in https://build.opensuse.org/request/show/543851 Factory / ruby2.4
SUSE-SU-2020:1570-1: An update that fixes 42 vulnerabilities is now available. Category: security (important) Bug References: 1043983,1048072,1055265,1056286,1056782,1058754,1058755,1058757,1062452,1069607,1069632,1073002,1078782,1082007,1082008,1082009,1082010,1082011,1082014,1082058,1087433,1087434,1087436,1087437,1087440,1087441,1112530,1112532,1130611,1130617,1130620,1130622,1130623,1130627,1152990,1152992,1152994,1152995,1171517,1172275 CVE References: CVE-2015-9096,CVE-2016-2339,CVE-2016-7798,CVE-2017-0898,CVE-2017-0899,CVE-2017-0900,CVE-2017-0901,CVE-2017-0902,CVE-2017-0903,CVE-2017-10784,CVE-2017-14033,CVE-2017-14064,CVE-2017-17405,CVE-2017-17742,CVE-2017-17790,CVE-2017-9228,CVE-2017-9229,CVE-2018-1000073,CVE-2018-1000074,CVE-2018-1000075,CVE-2018-1000076,CVE-2018-1000077,CVE-2018-1000078,CVE-2018-1000079,CVE-2018-16395,CVE-2018-16396,CVE-2018-6914,CVE-2018-8777,CVE-2018-8778,CVE-2018-8779,CVE-2018-8780,CVE-2019-15845,CVE-2019-16201,CVE-2019-16254,CVE-2019-16255,CVE-2019-8320,CVE-2019-8321,CVE-2019-8322,CVE-2019-8323,CVE-2019-8324,CVE-2019-8325,CVE-2020-10663 Sources used: SUSE OpenStack Cloud Crowbar 8 (src): ruby2.1-2.1.9-19.3.2 SUSE OpenStack Cloud 8 (src): ruby2.1-2.1.9-19.3.2 SUSE OpenStack Cloud 7 (src): ruby2.1-2.1.9-19.3.2, yast2-ruby-bindings-3.1.53-9.8.1 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): ruby2.1-2.1.9-19.3.2 SUSE Linux Enterprise Software Development Kit 12-SP4 (src): ruby2.1-2.1.9-19.3.2 SUSE Linux Enterprise Server for SAP 12-SP3 (src): ruby2.1-2.1.9-19.3.2 SUSE Linux Enterprise Server for SAP 12-SP2 (src): ruby2.1-2.1.9-19.3.2, yast2-ruby-bindings-3.1.53-9.8.1 SUSE Linux Enterprise Server 12-SP5 (src): ruby2.1-2.1.9-19.3.2 SUSE Linux Enterprise Server 12-SP4 (src): ruby2.1-2.1.9-19.3.2 SUSE Linux Enterprise Server 12-SP3-LTSS (src): ruby2.1-2.1.9-19.3.2 SUSE Linux Enterprise Server 12-SP3-BCL (src): ruby2.1-2.1.9-19.3.2 SUSE Linux Enterprise Server 12-SP2-LTSS (src): ruby2.1-2.1.9-19.3.2, yast2-ruby-bindings-3.1.53-9.8.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): ruby2.1-2.1.9-19.3.2, yast2-ruby-bindings-3.1.53-9.8.1 SUSE Enterprise Storage 5 (src): ruby2.1-2.1.9-19.3.2 HPE Helion Openstack 8 (src): ruby2.1-2.1.9-19.3.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done.