{"affected":[{"ecosystem_specific":{"binaries":[{"libruby2_5-2_5":"2.5.5-lp151.4.3.1","ruby-bundled-gems-rpmhelper":"0.0.2-lp151.2.1","ruby2.5":"2.5.5-lp151.4.3.1","ruby2.5-devel":"2.5.5-lp151.4.3.1","ruby2.5-devel-extra":"2.5.5-lp151.4.3.1","ruby2.5-doc":"2.5.5-lp151.4.3.1","ruby2.5-doc-ri":"2.5.5-lp151.4.3.1","ruby2.5-stdlib":"2.5.5-lp151.4.3.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.0","name":"ruby-bundled-gems-rpmhelper","purl":"pkg:rpm/opensuse/ruby-bundled-gems-rpmhelper&distro=openSUSE%20Leap%2015.0"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"0.0.2-lp151.2.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"libruby2_5-2_5":"2.5.5-lp151.4.3.1","ruby-bundled-gems-rpmhelper":"0.0.2-lp151.2.1","ruby2.5":"2.5.5-lp151.4.3.1","ruby2.5-devel":"2.5.5-lp151.4.3.1","ruby2.5-devel-extra":"2.5.5-lp151.4.3.1","ruby2.5-doc":"2.5.5-lp151.4.3.1","ruby2.5-doc-ri":"2.5.5-lp151.4.3.1","ruby2.5-stdlib":"2.5.5-lp151.4.3.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.0","name":"ruby2.5","purl":"pkg:rpm/opensuse/ruby2.5&distro=openSUSE%20Leap%2015.0"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.5.5-lp151.4.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"libruby2_5-2_5":"2.5.5-lp151.4.3.1","ruby-bundled-gems-rpmhelper":"0.0.2-lp151.2.1","ruby2.5":"2.5.5-lp151.4.3.1","ruby2.5-devel":"2.5.5-lp151.4.3.1","ruby2.5-devel-extra":"2.5.5-lp151.4.3.1","ruby2.5-doc":"2.5.5-lp151.4.3.1","ruby2.5-doc-ri":"2.5.5-lp151.4.3.1","ruby2.5-stdlib":"2.5.5-lp151.4.3.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.1","name":"ruby-bundled-gems-rpmhelper","purl":"pkg:rpm/opensuse/ruby-bundled-gems-rpmhelper&distro=openSUSE%20Leap%2015.1"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"0.0.2-lp151.2.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"libruby2_5-2_5":"2.5.5-lp151.4.3.1","ruby-bundled-gems-rpmhelper":"0.0.2-lp151.2.1","ruby2.5":"2.5.5-lp151.4.3.1","ruby2.5-devel":"2.5.5-lp151.4.3.1","ruby2.5-devel-extra":"2.5.5-lp151.4.3.1","ruby2.5-doc":"2.5.5-lp151.4.3.1","ruby2.5-doc-ri":"2.5.5-lp151.4.3.1","ruby2.5-stdlib":"2.5.5-lp151.4.3.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.1","name":"ruby2.5","purl":"pkg:rpm/opensuse/ruby2.5&distro=openSUSE%20Leap%2015.1"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.5.5-lp151.4.3.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for ruby2.5 and ruby-bundled-gems-rpmhelper fixes the following issues:\n\nChanges in ruby2.5:\n\nUpdate to 2.5.5 and 2.5.4:\n\nhttps://www.ruby-lang.org/en/news/2019/03/15/ruby-2-5-5-released/\nhttps://www.ruby-lang.org/en/news/2019/03/13/ruby-2-5-4-released/\n\nSecurity issues fixed:\n\n- CVE-2019-8320: Delete directory using symlink when\n  decompressing tar (bsc#1130627)\n- CVE-2019-8321: Escape sequence injection vulnerability in\n  verbose  (bsc#1130623)\n- CVE-2019-8322: Escape sequence injection vulnerability in gem\n  owner  (bsc#1130622)\n- CVE-2019-8323: Escape sequence injection vulnerability in API\n  response handling  (bsc#1130620)\n- CVE-2019-8324: Installing a malicious gem may lead to arbitrary\n  code execution  (bsc#1130617)\n- CVE-2019-8325: Escape sequence injection vulnerability in\n  errors  (bsc#1130611)\n\n\nRuby 2.5 was updated to 2.5.3:\n\nThis release includes some bug fixes and some security fixes.\n\nSecurity issues fixed:\n\n- CVE-2018-16396: Tainted flags are not propagated in Array#pack\n  and String#unpack with some directives (bsc#1112532)\n- CVE-2018-16395: OpenSSL::X509::Name equality check does not\n  work correctly (bsc#1112530)\n\nRuby 2.5 was updated to 2.5.1:\n\nThis release includes some bug fixes and some security fixes.\n\nSecurity issues fixed:\n\n- CVE-2017-17742: HTTP response splitting in WEBrick (bsc#1087434)\n- CVE-2018-6914: Unintentional file and directory creation with\n  directory traversal in tempfile and tmpdir (bsc#1087441)\n- CVE-2018-8777: DoS by large request in WEBrick (bsc#1087436)\n- CVE-2018-8778: Buffer under-read in String#unpack (bsc#1087433)\n- CVE-2018-8779: Unintentional socket creation by poisoned NUL\n  byte in UNIXServer and UNIXSocket (bsc#1087440)\n- CVE-2018-8780: Unintentional directory traversal by poisoned\n  NUL byte in Dir (bsc#1087437)\n\n- Multiple vulnerabilities in RubyGems were fixed:\n\n  - CVE-2018-1000079: Fixed path traversal issue during gem installation allows to write to arbitrary filesystem locations (bsc#1082058)\n  - CVE-2018-1000075: Fixed infinite loop vulnerability due to negative size in tar header causes Denial of Service (bsc#1082014)\n  - CVE-2018-1000078: Fixed XSS vulnerability in homepage attribute when displayed via gem server (bsc#1082011)\n  - CVE-2018-1000077: Fixed that missing URL validation on spec home attribute allows malicious gem to set an invalid homepage URL (bsc#1082010)\n  - CVE-2018-1000076: Fixed improper verification of signatures in tarball allows to install mis-signed gem (bsc#1082009)\n  - CVE-2018-1000074: Fixed unsafe Object Deserialization Vulnerability in gem owner allowing arbitrary code execution on specially crafted YAML (bsc#1082008)\n  - CVE-2018-1000073: Fixed path traversal when writing to a symlinked basedir outside of the root (bsc#1082007)\n\nOther changes:\n\n- Fixed Net::POPMail methods modify frozen literal when using default arg\n- ruby: change over of the Japanese Era to the new emperor May 1st 2019 (bsc#1133790)\n- build with PIE support (bsc#1130028)\n\n\nChanges in ruby-bundled-gems-rpmhelper:\n\n- Add a new helper for bundled ruby gems.\n\nThis update was imported from the SUSE:SLE-15:Update update project.","id":"openSUSE-SU-2019:1771-1","modified":"2019-07-21T05:37:45Z","published":"2019-07-21T05:37:45Z","references":[{"type":"ADVISORY","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DDFTKHWDUNIX327O4WIHXU2TIVV47W3Z/#DDFTKHWDUNIX327O4WIHXU2TIVV47W3Z"},{"type":"REPORT","url":"https://bugzilla.suse.com/1082007"},{"type":"REPORT","url":"https://bugzilla.suse.com/1082008"},{"type":"REPORT","url":"https://bugzilla.suse.com/1082009"},{"type":"REPORT","url":"https://bugzilla.suse.com/1082010"},{"type":"REPORT","url":"https://bugzilla.suse.com/1082011"},{"type":"REPORT","url":"https://bugzilla.suse.com/1082014"},{"type":"REPORT","url":"https://bugzilla.suse.com/1082058"},{"type":"REPORT","url":"https://bugzilla.suse.com/1087433"},{"type":"REPORT","url":"https://bugzilla.suse.com/1087434"},{"type":"REPORT","url":"https://bugzilla.suse.com/1087436"},{"type":"REPORT","url":"https://bugzilla.suse.com/1087437"},{"type":"REPORT","url":"https://bugzilla.suse.com/1087440"},{"type":"REPORT","url":"https://bugzilla.suse.com/1087441"},{"type":"REPORT","url":"https://bugzilla.suse.com/1112530"},{"type":"REPORT","url":"https://bugzilla.suse.com/1112532"},{"type":"REPORT","url":"https://bugzilla.suse.com/1130028"},{"type":"REPORT","url":"https://bugzilla.suse.com/1130611"},{"type":"REPORT","url":"https://bugzilla.suse.com/1130617"},{"type":"REPORT","url":"https://bugzilla.suse.com/1130620"},{"type":"REPORT","url":"https://bugzilla.suse.com/1130622"},{"type":"REPORT","url":"https://bugzilla.suse.com/1130623"},{"type":"REPORT","url":"https://bugzilla.suse.com/1130627"},{"type":"REPORT","url":"https://bugzilla.suse.com/1133790"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-17742"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-1000073"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-1000074"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-1000075"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-1000076"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-1000077"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-1000078"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-1000079"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-16395"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-16396"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-6914"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-8777"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-8778"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-8779"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-8780"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-8320"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-8321"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-8322"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-8323"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-8324"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2019-8325"}],"related":["CVE-2017-17742","CVE-2018-1000073","CVE-2018-1000074","CVE-2018-1000075","CVE-2018-1000076","CVE-2018-1000077","CVE-2018-1000078","CVE-2018-1000079","CVE-2018-16395","CVE-2018-16396","CVE-2018-6914","CVE-2018-8777","CVE-2018-8778","CVE-2018-8779","CVE-2018-8780","CVE-2019-8320","CVE-2019-8321","CVE-2019-8322","CVE-2019-8323","CVE-2019-8324","CVE-2019-8325"],"summary":"Security update for ruby-bundled-gems-rpmhelper, ruby2.5","upstream":["CVE-2017-17742","CVE-2018-1000073","CVE-2018-1000074","CVE-2018-1000075","CVE-2018-1000076","CVE-2018-1000077","CVE-2018-1000078","CVE-2018-1000079","CVE-2018-16395","CVE-2018-16396","CVE-2018-6914","CVE-2018-8777","CVE-2018-8778","CVE-2018-8779","CVE-2018-8780","CVE-2019-8320","CVE-2019-8321","CVE-2019-8322","CVE-2019-8323","CVE-2019-8324","CVE-2019-8325"]}