All errata/sisyphus/ALT-PU-2017-2216-2
ALT-PU-2017-2216-2

Package update ruby in branch sisyphus

Version2.4.2-alt1
Task#188251
Published2026-02-04
Max severityCRITICAL
Severity:

Closed issues (10)

BDU:2017-01780
HIGH7.5

Уязвимость функции parser_yyerror анализатора UTF-8-формата интерпретатора Ruby, позволяющая нарушителю вызвать отказ в обслуживании или оказать другое воздействие

Published: 2017-08-10Modified: 2021-03-23
CVSS 2.0HIGH 7.5
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P
References
BDU:2017-02182
HIGH7.5

Уязвимость интерпретатора Ruby, вызванная выходом операции за границы буфера в памяти, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2017-09-28Modified: 2021-03-23
CVSS 2.0HIGH 7.5
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P
References
BDU:2017-02342
HIGH8.8

Уязвимость функции аутентификации библиотеки WEBrick, позволяющая нарушителю выполнить произвольные команды

Published: 2017-11-03Modified: 2021-03-23
CVSS 3.xHIGH 8.8
CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 2.0CRITICAL 9.3
CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C
References
CVE-2017-0898
CRITICAL9.1

Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such situation can lead to a buffer overrun, resulting in a heap memory corruption or an information disclosure from the heap.

Published: 2017-09-15Modified: 2025-04-20
CVSS 2.0MEDIUM 6.4
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:P
CVSS 3.xCRITICAL 9.1
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
References
CVE-2017-10784
HIGH8.8

The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name.

Published: 2017-09-19Modified: 2025-04-20
CVSS 2.0CRITICAL 9.3
CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS 3.xHIGH 8.8
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References
CVE-2017-11465
CRITICAL9.8

The parser_yyerror function in the UTF-8 parser in Ruby 2.4.1 allows attackers to cause a denial of service (invalid write or read) or possibly have unspecified other impact via a crafted Ruby script, related to the parser_tokadd_utf8 function in parse.y. NOTE: this might have security relevance as a bypass of a $SAFE protection mechanism.

Published: 2017-07-19Modified: 2025-04-20
CVSS 2.0HIGH 7.5
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS 3.xCRITICAL 9.8
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References
CVE-2017-14033
HIGH7.5

The decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause a denial of service (interpreter crash) via a crafted string.

Published: 2017-09-19Modified: 2025-04-20
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2017-14064
CRITICAL9.8

Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a '\0' byte, returning a pointer to a string of length zero, which is not the length stored in space_len.

Published: 2017-08-31Modified: 2025-04-20
CVSS 2.0HIGH 7.5
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS 3.xCRITICAL 9.8
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References
GHSA-369m-2gv6-mw28
HIGH8.8

WEBrick RCE Vulnerability

Published: 2022-05-14Modified: 2023-07-27
CVSS 3.xHIGH 8.8
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References
GHSA-v6rp-3r3v-hf4p
HIGH7.5

Ruby OpenSSL DoS Vulnerability

Published: 2022-05-14Modified: 2023-10-24
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References