SynopsisThe remote FreeBSD host is missing one or more security-related updates.
DescriptionEtienne Stalmans from the Heroku product security team reports :
There is a command injection vulnerability in Net::FTP bundled with Ruby.
Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the pipe character '|', the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.
SolutionUpdate the affected packages.