ruby2.3 (2.3.3-1+deb9u3) stretch-security; urgency=medium
[ Santiago R.R. ]
* Fix Command injection vulnerability in Net::FTP.
[CVE-2017-17405]
* webrick: use IO.copy_stream for multipart response. Required changes in
WEBrick to fix CVE-2017-17742 and CVE-2018-8777
* Fix HTTP response splitting in WEBrick.
[CVE-2017-17742]
* Fix Command Injection in Hosts::new() by use of Kernel#open.
[CVE-2017-17790]
* Fix Unintentional directory traversal by poisoned NUL byte in Dir
[CVE-2018-8780]
* Fix multiple vulnerabilities in RubyGems.
CVE-2018-
1000073: Prevent Path Traversal issue during gem installation.
CVE-2018-
1000074: Fix possible Unsafe Object Deserialization
Vulnerability in gem owner.
CVE-2018-
1000075: Strictly interpret octal fields in tar headers.
CVE-2018-
1000076: Raise a security error when there are duplicate files
in a package.
CVE-2018-
1000077: Enforce URL validation on spec homepage attribute.
CVE-2018-
1000078: Mitigate XSS vulnerability in homepage attribute when
displayed via gem server.
CVE-2018-
1000079: Prevent path traversal when writing to a symlinked
basedir outside of the root.
* Fix directory traversal vulnerability in the Dir.mktmpdir method in the
tmpdir library
[CVE-2018-6914]
* Fix Unintentional socket creation by poisoned NUL byte in UNIXServer and
UNIXSocket
[CVE-2018-8779]
* Fix Buffer under-read in String#unpack
[CVE-2018-8778]
* Fix tests to cope with updates in tzdata (Closes: #889117)
* Exclude Rinda TestRingFinger and TestRingServer test units requiring
network access (Closes: #898694)
[ Antonio Terceiro ]
* debian/tests/excludes/any/TestTimeTZ.rb: ignore tests failing due to
assumptions that don't hold on newer tzdata update. Upstream bug:
https://bugs.ruby-lang.org/issues/14655
[dgit import unpatched ruby2.3 2.3.3-1+deb9u3]
projects / ruby2.3.git / log