Debian DSA-4332-1 : ruby2.3 - security update

High Nessus Plugin ID 118721

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in the interpreter for the Ruby language. The Common Vulnerabilities and Exposures project identifies the following problems :

- CVE-2018-16395 Tyler Eckstein reported that the equality check of OpenSSL::X509::Name could return true for non-equal objects. If a malicious X.509 certificate is passed to compare with an existing certificate, there is a possibility to be judged incorrectly that they are equal.

- CVE-2018-16396 Chris Seaton discovered that tainted flags are not propagated in Array#pack and String#unpack with some directives.

Solution

Upgrade the ruby2.3 packages.

For the stable distribution (stretch), these problems have been fixed in version 2.3.3-1+deb9u4.

See Also

https://security-tracker.debian.org/tracker/CVE-2018-16395

https://security-tracker.debian.org/tracker/CVE-2018-16396

https://security-tracker.debian.org/tracker/source-package/ruby2.3

https://packages.debian.org/source/stretch/ruby2.3

https://www.debian.org/security/2018/dsa-4332

Plugin Details

Severity: High

ID: 118721

File Name: debian_DSA-4332.nasl

Version: 1.3

Type: local

Agent: unix

Published: 2018/11/05

Modified: 2018/11/13

Dependencies: 12634

Risk Information

Risk Factor: High

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:ruby2.3, cpe:/o:debian:debian_linux:9.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 2018/11/03

Reference Information

CVE: CVE-2018-16395, CVE-2018-16396

DSA: 4332