GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Tue Feb 20, 2018 3:26 am Post subject: [ GLSA 201802-05 ] Ruby |
|
|
Gentoo Linux Security Advisory
Title: Ruby: Command injection (GLSA 201802-05)
Severity: normal
Exploitable: remote
Date: 2018-02-20
Bug(s): #641090
ID: 201802-05
Synopsis
A vulnerability has been found in Ruby which may allow for
arbitrary command execution.
Background
Ruby is an interpreted object-oriented programming language. The
elaborate standard library includes an HTTP server (“WEBRick”) and a
class for XML parsing (“REXML”).
Affected Packages
Package: dev-lang/ruby
Vulnerable: < 2.2.9
Unaffected: >= 2.2.9
Architectures: All supported architectures
Description
A command injection flaw was discovered in Net::FTP which impacts Ruby.
Impact
A remote attacker, by enticing a user to download and open a crafted
file from a malicious FTP server, could execute arbitrary commands with
the privileges of the process.
Workaround
There is no known workaround at this time.
Resolution
All Ruby users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/ruby-2.2.9:2.2"
|
References
CVE-2017-17405 |
|