ALT-BU-2017-3415-1
Branch sisyphus update bulletin.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2017-0903
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.
- http://blog.rubygems.org/2017/10/09/2.6.14-released.html
- http://blog.rubygems.org/2017/10/09/2.6.14-released.html
- http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
- http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
- 101275
- 101275
- RHSA-2017:3485
- RHSA-2017:3485
- RHSA-2018:0378
- RHSA-2018:0378
- RHSA-2018:0583
- RHSA-2018:0583
- RHSA-2018:0585
- RHSA-2018:0585
- https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49
- https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49
- https://hackerone.com/reports/274990
- https://hackerone.com/reports/274990
- [debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update
- [debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update
- USN-3553-1
- USN-3553-1
- USN-3685-1
- USN-3685-1
- DSA-4031
- DSA-4031
Closed vulnerabilities
BDU:2019-00222
Уязвимость сервера Qemu-NBD эмулятора аппаратного обеспечения QEMU, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2019-04102
Уязвимость компонента io/channel-websock.c эмулятора аппаратного обеспечения QEMU, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2017-15268
Qemu through 2.10.0 allows remote attackers to cause a memory leak by triggering slow data-channel read operations, related to io/channel-websock.c.
- 101277
- 101277
- RHSA-2018:0816
- RHSA-2018:0816
- RHSA-2018:1104
- RHSA-2018:1104
- https://bugs.launchpad.net/qemu/+bug/1718964
- https://bugs.launchpad.net/qemu/+bug/1718964
- [qemu-devel] 20171010 [PATCH v1 1/7] io: monitor encoutput buffer size from websocket GSource
- [qemu-devel] 20171010 [PATCH v1 1/7] io: monitor encoutput buffer size from websocket GSource
- USN-3575-1
- USN-3575-1
- DSA-4213
- DSA-4213
Modified: 2024-11-21
CVE-2017-7539
An assertion-failure flaw was found in Qemu before 2.10.1, in the Network Block Device (NBD) server's initial connection negotiation, where the I/O coroutine was undefined. This could crash the qemu-nbd server if a client sent unexpected data during connection negotiation. A remote user or process could use this flaw to crash the qemu-nbd server resulting in denial of service.
- [oss-security] 20170721 CVE-2017-7539 Qemu: qemu-nbd crashes due to undefined I/O coroutine
- [oss-security] 20170721 CVE-2017-7539 Qemu: qemu-nbd crashes due to undefined I/O coroutine
- 99944
- 99944
- RHSA-2017:2628
- RHSA-2017:2628
- RHSA-2017:3466
- RHSA-2017:3466
- RHSA-2017:3470
- RHSA-2017:3470
- RHSA-2017:3471
- RHSA-2017:3471
- RHSA-2017:3472
- RHSA-2017:3472
- RHSA-2017:3473
- RHSA-2017:3473
- RHSA-2017:3474
- RHSA-2017:3474
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7539
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7539
- https://git.qemu.org/?p=qemu.git%3Ba=commitdiff%3Bh=2b0bbc4f8809c972bad134bc1a2570dbb01dea0b
- https://git.qemu.org/?p=qemu.git%3Ba=commitdiff%3Bh=2b0bbc4f8809c972bad134bc1a2570dbb01dea0b
- https://git.qemu.org/?p=qemu.git%3Ba=commitdiff%3Bh=ff82911cd3f69f028f2537825c9720ff78bc3f19
- https://git.qemu.org/?p=qemu.git%3Ba=commitdiff%3Bh=ff82911cd3f69f028f2537825c9720ff78bc3f19