[ubuntu/bionic-proposed] ruby2.3 2.3.5-1 (Accepted)

Matthias Klose doko at ubuntu.com
Tue Nov 14 17:07:36 UTC 2017 

ruby2.3 (2.3.5-1) unstable; urgency=medium

  * New upstream release.
    - Includes fix for building with GCC 7 (Closes: #853648)
    - Included security fixes
      - Buffer underrun vulnerability in OpenSSL ASN1 decode
        [CVE-2017-14033] (Closes: #875928)
      - Escape sequence injection vulnerability in the Basic authentication of
        WEBrick
        [CVE-2017-10784] (Closes: #875931)
      - Buffer underrun vulnerability in Kernel.sprintf
        [CVE-2017-0898] (Closes: #875936)
      - Multiple security vulnerabilities in Rubygems (Closes: #873802)
        - DNS request hijacking vulnerability. Discovered by Jonathan
          Claudius, fix by Samuel Giddins.
          [CVE-2017-0902]
        - ANSI escape sequence vulnerability. Discovered by Yusuke Endoh,
          fix by Evan Phoenix.
          [CVE-2017-0899]
        - DOS vulernerability in the query command. Discovered by Yusuke
          Endoh, fix by Samuel Giddins.
          [CVE-2017-0900]
        - Vulnerability in the gem installer that allowed a malicious gem to
          overwrite arbitrary files. Discovered by Yusuke Endoh, fix by Samuel
          Giddins.
          [CVE-2017-0901]
        - Arbitrary heap exposure problem in the JSON library
          [CVE-2017-14064] (Closes: #873906)
        - SMTP comment injection
          [CVE-2015-9096] (Closes: #864860)
        - IV Reuse in GCM Mode in the OpenSSL bindings
          [CVE-2016-7798] (Closes: #842432)
  * Whitelist classes and symbols that are in Gem spec YAML
    [CVE-2017-0903] (Closes: #879231)
    Original patch by Aaron Patterson; backported from the standalone Rubygems
    package
  * Convert packaging from using a plain git history to using gbp-pq, thus
    making debian individual patches explicitly present in debian/patches
  * Refresh debian/libruby2.3.symbols. There are some removed symbols, but
    they are never exposed in a header file so there should be no packages
    using them.

Date: 2017-11-14 16:40:43.903950+00:00
Changed-By: Antonio Terceiro <antonio.terceiro at linaro.org>
Signed-By: Matthias Klose <doko at ubuntu.com>
https://launchpad.net/ubuntu/+source/ruby2.3/2.3.5-1
-------------- next part --------------
Sorry, changesfile not available.

More information about the Bionic-changes mailing list