Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#58065 - [ruby] 2.5.0 has multiple security issues, fixes in new Ruby version (2.5.1)

Attached to Project: Arch Linux
Opened by killerwolf (killerwolf) - Sunday, 01 April 2018, 13:23 GMT
Last edited by Doug Newgard (Scimmia) - Monday, 02 April 2018, 00:37 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To No-one
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
On the 28.3.2018 ruby 2.5.1 was released [1]. This version fixes some security issues:
* CVE-2017-17742: HTTP response splitting in WEBrick
* CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir
* CVE-2018-8777: DoS by large request in WEBrick
* CVE-2018-8778: Buffer under-read in String#unpack
* CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket
* CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir

[1] https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released/

Note that the version containing the fixes is already in testing.

Steps to reproduce:
$ pacman -Syu ruby
$ ruby --version
ruby 2.5.0p0 (2017-12-25 revision 61468) [x86_64-linux]
This task depends upon

Closed by  Doug Newgard (Scimmia)
Monday, 02 April 2018, 00:37 GMT
Reason for closing:  Fixed
Additional comments about closing:  ruby 2.5.1-1 has been in the repos for 4 days

Loading...