Security update for ruby2.1 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:1128-1 Final 1 1 2017-04-28T10:55:03Z current 2017-04-28T10:55:03Z 2017-04-28T10:55:03Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ruby2.1 This ruby2.1 update to version 2.1.9 fixes the following issues: Security issues fixed: - CVE-2016-2339: heap overflow vulnerability in the Fiddle::Function.new'initialize' (bsc#1018808) - CVE-2015-7551: Unsafe tainted string usage in Fiddle and DL (bsc#959495) - CVE-2015-3900: hostname validation does not work when fetching gems or making API requests (bsc#936032) - CVE-2015-1855: Ruby'a OpenSSL extension suffers a vulnerability through overly permissive matching of hostnames (bsc#926974) - CVE-2014-4975: off-by-one stack-based buffer overflow in the encodes() function (bsc#887877) Bugfixes: - SUSEconnect doesn't handle domain wildcards in no_proxy environment variable properly (bsc#1014863) - Segmentation fault after pack & ioctl & unpack (bsc#909695) - Ruby:HTTP Header injection in 'net/http' (bsc#986630) ChangeLog: - http://svn.ruby-lang.org/repos/ruby/tags/v2_1_9/ChangeLog This update was imported from the SUSE:SLE-12:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2017-04/msg00034.html E-Mail link for openSUSE-SU-2017:1128-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 openSUSE Leap 42.2 libruby2_1-2_1-2.1.9-8.3.2 ruby2.1-2.1.9-8.3.2 ruby2.1-devel-2.1.9-8.3.2 ruby2.1-devel-extra-2.1.9-8.3.2 ruby2.1-doc-2.1.9-8.3.2 ruby2.1-doc-ri-2.1.9-8.3.2 ruby2.1-stdlib-2.1.9-8.3.2 libruby2_1-2_1-2.1.9-8.3.2 as a component of openSUSE Leap 42.1 ruby2.1-2.1.9-8.3.2 as a component of openSUSE Leap 42.1 ruby2.1-devel-2.1.9-8.3.2 as a component of openSUSE Leap 42.1 ruby2.1-devel-extra-2.1.9-8.3.2 as a component of openSUSE Leap 42.1 ruby2.1-doc-2.1.9-8.3.2 as a component of openSUSE Leap 42.1 ruby2.1-doc-ri-2.1.9-8.3.2 as a component of openSUSE Leap 42.1 ruby2.1-stdlib-2.1.9-8.3.2 as a component of openSUSE Leap 42.1 libruby2_1-2_1-2.1.9-8.3.2 as a component of openSUSE Leap 42.2 ruby2.1-2.1.9-8.3.2 as a component of openSUSE Leap 42.2 ruby2.1-devel-2.1.9-8.3.2 as a component of openSUSE Leap 42.2 ruby2.1-devel-extra-2.1.9-8.3.2 as a component of openSUSE Leap 42.2 ruby2.1-doc-2.1.9-8.3.2 as a component of openSUSE Leap 42.2 ruby2.1-doc-ri-2.1.9-8.3.2 as a component of openSUSE Leap 42.2 ruby2.1-stdlib-2.1.9-8.3.2 as a component of openSUSE Leap 42.2 Off-by-one error in the encodes function in pack.c in Ruby 1.9.3 and earlier, and 2.x through 2.1.2, when using certain format string specifiers, allows context-dependent attackers to cause a denial of service (segmentation fault) via vectors that trigger a stack-based buffer overflow. CVE-2014-4975 openSUSE Leap 42.1:libruby2_1-2_1-2.1.9-8.3.2 openSUSE Leap 42.1:ruby2.1-2.1.9-8.3.2 openSUSE Leap 42.1:ruby2.1-devel-2.1.9-8.3.2 openSUSE Leap 42.1:ruby2.1-devel-extra-2.1.9-8.3.2 openSUSE Leap 42.1:ruby2.1-doc-2.1.9-8.3.2 openSUSE Leap 42.1:ruby2.1-doc-ri-2.1.9-8.3.2 openSUSE Leap 42.1:ruby2.1-stdlib-2.1.9-8.3.2 openSUSE Leap 42.2:libruby2_1-2_1-2.1.9-8.3.2 openSUSE Leap 42.2:ruby2.1-2.1.9-8.3.2 openSUSE Leap 42.2:ruby2.1-devel-2.1.9-8.3.2 openSUSE Leap 42.2:ruby2.1-devel-extra-2.1.9-8.3.2 openSUSE Leap 42.2:ruby2.1-doc-2.1.9-8.3.2 openSUSE Leap 42.2:ruby2.1-doc-ri-2.1.9-8.3.2 openSUSE Leap 42.2:ruby2.1-stdlib-2.1.9-8.3.2 low Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-04/msg00034.html https://www.suse.com/security/cve/CVE-2014-4975.html CVE-2014-4975 https://bugzilla.suse.com/887877 SUSE Bug 887877 verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters. CVE-2015-1855 openSUSE Leap 42.1:libruby2_1-2_1-2.1.9-8.3.2 openSUSE Leap 42.1:ruby2.1-2.1.9-8.3.2 openSUSE Leap 42.1:ruby2.1-devel-2.1.9-8.3.2 openSUSE Leap 42.1:ruby2.1-devel-extra-2.1.9-8.3.2 openSUSE Leap 42.1:ruby2.1-doc-2.1.9-8.3.2 openSUSE Leap 42.1:ruby2.1-doc-ri-2.1.9-8.3.2 openSUSE Leap 42.1:ruby2.1-stdlib-2.1.9-8.3.2 openSUSE Leap 42.2:libruby2_1-2_1-2.1.9-8.3.2 openSUSE Leap 42.2:ruby2.1-2.1.9-8.3.2 openSUSE Leap 42.2:ruby2.1-devel-2.1.9-8.3.2 openSUSE Leap 42.2:ruby2.1-devel-extra-2.1.9-8.3.2 openSUSE Leap 42.2:ruby2.1-doc-2.1.9-8.3.2 openSUSE Leap 42.2:ruby2.1-doc-ri-2.1.9-8.3.2 openSUSE Leap 42.2:ruby2.1-stdlib-2.1.9-8.3.2 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-04/msg00034.html https://www.suse.com/security/cve/CVE-2015-1855.html CVE-2015-1855 https://bugzilla.suse.com/926974 SUSE Bug 926974 RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack." CVE-2015-3900 openSUSE Leap 42.1:libruby2_1-2_1-2.1.9-8.3.2 openSUSE Leap 42.1:ruby2.1-2.1.9-8.3.2 openSUSE Leap 42.1:ruby2.1-devel-2.1.9-8.3.2 openSUSE Leap 42.1:ruby2.1-devel-extra-2.1.9-8.3.2 openSUSE Leap 42.1:ruby2.1-doc-2.1.9-8.3.2 openSUSE Leap 42.1:ruby2.1-doc-ri-2.1.9-8.3.2 openSUSE Leap 42.1:ruby2.1-stdlib-2.1.9-8.3.2 openSUSE Leap 42.2:libruby2_1-2_1-2.1.9-8.3.2 openSUSE Leap 42.2:ruby2.1-2.1.9-8.3.2 openSUSE Leap 42.2:ruby2.1-devel-2.1.9-8.3.2 openSUSE Leap 42.2:ruby2.1-devel-extra-2.1.9-8.3.2 openSUSE Leap 42.2:ruby2.1-doc-2.1.9-8.3.2 openSUSE Leap 42.2:ruby2.1-doc-ri-2.1.9-8.3.2 openSUSE Leap 42.2:ruby2.1-stdlib-2.1.9-8.3.2 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-04/msg00034.html https://www.suse.com/security/cve/CVE-2015-3900.html CVE-2015-3900 https://bugzilla.suse.com/936032 SUSE Bug 936032 The Fiddle::Handle implementation in ext/fiddle/handle.c in Ruby before 2.0.0-p648, 2.1 before 2.1.8, and 2.2 before 2.2.4, as distributed in Apple OS X before 10.11.4 and other products, mishandles tainting, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted string, related to the DL module and the libffi library. NOTE: this vulnerability exists because of a CVE-2009-5147 regression. CVE-2015-7551 openSUSE Leap 42.1:libruby2_1-2_1-2.1.9-8.3.2 openSUSE Leap 42.1:ruby2.1-2.1.9-8.3.2 openSUSE Leap 42.1:ruby2.1-devel-2.1.9-8.3.2 openSUSE Leap 42.1:ruby2.1-devel-extra-2.1.9-8.3.2 openSUSE Leap 42.1:ruby2.1-doc-2.1.9-8.3.2 openSUSE Leap 42.1:ruby2.1-doc-ri-2.1.9-8.3.2 openSUSE Leap 42.1:ruby2.1-stdlib-2.1.9-8.3.2 openSUSE Leap 42.2:libruby2_1-2_1-2.1.9-8.3.2 openSUSE Leap 42.2:ruby2.1-2.1.9-8.3.2 openSUSE Leap 42.2:ruby2.1-devel-2.1.9-8.3.2 openSUSE Leap 42.2:ruby2.1-devel-extra-2.1.9-8.3.2 openSUSE Leap 42.2:ruby2.1-doc-2.1.9-8.3.2 openSUSE Leap 42.2:ruby2.1-doc-ri-2.1.9-8.3.2 openSUSE Leap 42.2:ruby2.1-stdlib-2.1.9-8.3.2 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-04/msg00034.html https://www.suse.com/security/cve/CVE-2015-7551.html CVE-2015-7551 https://bugzilla.suse.com/939860 SUSE Bug 939860 https://bugzilla.suse.com/959495 SUSE Bug 959495 An exploitable heap overflow vulnerability exists in the Fiddle::Function.new "initialize" function functionality of Ruby. In Fiddle::Function.new "initialize" heap buffer "arg_types" allocation is made based on args array length. Specially constructed object passed as element of args array can increase this array size after mentioned allocation and cause heap overflow. CVE-2016-2339 openSUSE Leap 42.1:libruby2_1-2_1-2.1.9-8.3.2 openSUSE Leap 42.1:ruby2.1-2.1.9-8.3.2 openSUSE Leap 42.1:ruby2.1-devel-2.1.9-8.3.2 openSUSE Leap 42.1:ruby2.1-devel-extra-2.1.9-8.3.2 openSUSE Leap 42.1:ruby2.1-doc-2.1.9-8.3.2 openSUSE Leap 42.1:ruby2.1-doc-ri-2.1.9-8.3.2 openSUSE Leap 42.1:ruby2.1-stdlib-2.1.9-8.3.2 openSUSE Leap 42.2:libruby2_1-2_1-2.1.9-8.3.2 openSUSE Leap 42.2:ruby2.1-2.1.9-8.3.2 openSUSE Leap 42.2:ruby2.1-devel-2.1.9-8.3.2 openSUSE Leap 42.2:ruby2.1-devel-extra-2.1.9-8.3.2 openSUSE Leap 42.2:ruby2.1-doc-2.1.9-8.3.2 openSUSE Leap 42.2:ruby2.1-doc-ri-2.1.9-8.3.2 openSUSE Leap 42.2:ruby2.1-stdlib-2.1.9-8.3.2 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-04/msg00034.html https://www.suse.com/security/cve/CVE-2016-2339.html CVE-2016-2339 https://bugzilla.suse.com/1018808 SUSE Bug 1018808