Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3717 ruby security update 30 November 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ruby Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 7 Red Hat Enterprise Linux WS/Desktop 7 Red Hat Enterprise Linux Server 6 Red Hat Enterprise Linux WS/Desktop 6 Impact/Access: Access Privileged Data -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Remote with User Interaction Create Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-1000079 CVE-2018-1000078 CVE-2018-1000077 CVE-2018-1000076 CVE-2018-1000075 CVE-2018-1000074 CVE-2018-1000073 CVE-2018-16396 CVE-2018-16395 CVE-2018-8780 CVE-2018-8779 CVE-2018-8778 CVE-2018-8777 CVE-2018-6914 CVE-2017-17742 Reference: ESB-2018.2220 ESB-2018.2055 ESB-2018.1767 ESB-2018.1168 Original Bulletin: https://access.redhat.com/errata/RHSA-2018:3738 https://access.redhat.com/errata/RHSA-2018:3729 https://access.redhat.com/errata/RHSA-2018:3730 https://access.redhat.com/errata/RHSA-2018:3731 Comment: This bulletin contains four (4) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: ruby security update Advisory ID: RHSA-2018:3738-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2018:3738 Issue date: 2018-11-29 CVE Names: CVE-2018-16395 ===================================================================== 1. Summary: An update for ruby is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7) - aarch64, noarch, ppc64le, s390x Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7) - aarch64, noarch, ppc64le, s390x 3. Description: Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Security Fix(es): * ruby: OpenSSL::X509::Name equality check does not work correctly (CVE-2018-16395) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1643086 - CVE-2018-16395 ruby: OpenSSL::X509::Name equality check does not work correctly 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: ruby-2.0.0.648-34.el7_6.src.rpm noarch: ruby-irb-2.0.0.648-34.el7_6.noarch.rpm rubygem-rdoc-4.0.0-34.el7_6.noarch.rpm rubygems-2.0.14.1-34.el7_6.noarch.rpm x86_64: ruby-2.0.0.648-34.el7_6.x86_64.rpm ruby-debuginfo-2.0.0.648-34.el7_6.i686.rpm ruby-debuginfo-2.0.0.648-34.el7_6.x86_64.rpm ruby-libs-2.0.0.648-34.el7_6.i686.rpm ruby-libs-2.0.0.648-34.el7_6.x86_64.rpm rubygem-bigdecimal-1.2.0-34.el7_6.x86_64.rpm rubygem-io-console-0.4.2-34.el7_6.x86_64.rpm rubygem-json-1.7.7-34.el7_6.x86_64.rpm rubygem-psych-2.0.0-34.el7_6.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): noarch: ruby-doc-2.0.0.648-34.el7_6.noarch.rpm rubygem-minitest-4.3.2-34.el7_6.noarch.rpm rubygem-rake-0.9.6-34.el7_6.noarch.rpm rubygems-devel-2.0.14.1-34.el7_6.noarch.rpm x86_64: ruby-debuginfo-2.0.0.648-34.el7_6.x86_64.rpm ruby-devel-2.0.0.648-34.el7_6.x86_64.rpm ruby-tcltk-2.0.0.648-34.el7_6.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: ruby-2.0.0.648-34.el7_6.src.rpm noarch: ruby-irb-2.0.0.648-34.el7_6.noarch.rpm rubygem-rdoc-4.0.0-34.el7_6.noarch.rpm rubygems-2.0.14.1-34.el7_6.noarch.rpm x86_64: ruby-2.0.0.648-34.el7_6.x86_64.rpm ruby-debuginfo-2.0.0.648-34.el7_6.i686.rpm ruby-debuginfo-2.0.0.648-34.el7_6.x86_64.rpm ruby-libs-2.0.0.648-34.el7_6.i686.rpm ruby-libs-2.0.0.648-34.el7_6.x86_64.rpm rubygem-bigdecimal-1.2.0-34.el7_6.x86_64.rpm rubygem-io-console-0.4.2-34.el7_6.x86_64.rpm rubygem-json-1.7.7-34.el7_6.x86_64.rpm rubygem-psych-2.0.0-34.el7_6.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): noarch: ruby-doc-2.0.0.648-34.el7_6.noarch.rpm rubygem-minitest-4.3.2-34.el7_6.noarch.rpm rubygem-rake-0.9.6-34.el7_6.noarch.rpm rubygems-devel-2.0.14.1-34.el7_6.noarch.rpm x86_64: ruby-debuginfo-2.0.0.648-34.el7_6.x86_64.rpm ruby-devel-2.0.0.648-34.el7_6.x86_64.rpm ruby-tcltk-2.0.0.648-34.el7_6.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: ruby-2.0.0.648-34.el7_6.src.rpm noarch: ruby-irb-2.0.0.648-34.el7_6.noarch.rpm rubygem-rdoc-4.0.0-34.el7_6.noarch.rpm rubygems-2.0.14.1-34.el7_6.noarch.rpm ppc64: ruby-2.0.0.648-34.el7_6.ppc64.rpm ruby-debuginfo-2.0.0.648-34.el7_6.ppc.rpm ruby-debuginfo-2.0.0.648-34.el7_6.ppc64.rpm ruby-libs-2.0.0.648-34.el7_6.ppc.rpm ruby-libs-2.0.0.648-34.el7_6.ppc64.rpm rubygem-bigdecimal-1.2.0-34.el7_6.ppc64.rpm rubygem-io-console-0.4.2-34.el7_6.ppc64.rpm rubygem-json-1.7.7-34.el7_6.ppc64.rpm rubygem-psych-2.0.0-34.el7_6.ppc64.rpm ppc64le: ruby-2.0.0.648-34.el7_6.ppc64le.rpm ruby-debuginfo-2.0.0.648-34.el7_6.ppc64le.rpm ruby-libs-2.0.0.648-34.el7_6.ppc64le.rpm rubygem-bigdecimal-1.2.0-34.el7_6.ppc64le.rpm rubygem-io-console-0.4.2-34.el7_6.ppc64le.rpm rubygem-json-1.7.7-34.el7_6.ppc64le.rpm rubygem-psych-2.0.0-34.el7_6.ppc64le.rpm s390x: ruby-2.0.0.648-34.el7_6.s390x.rpm ruby-debuginfo-2.0.0.648-34.el7_6.s390.rpm ruby-debuginfo-2.0.0.648-34.el7_6.s390x.rpm ruby-libs-2.0.0.648-34.el7_6.s390.rpm ruby-libs-2.0.0.648-34.el7_6.s390x.rpm rubygem-bigdecimal-1.2.0-34.el7_6.s390x.rpm rubygem-io-console-0.4.2-34.el7_6.s390x.rpm rubygem-json-1.7.7-34.el7_6.s390x.rpm rubygem-psych-2.0.0-34.el7_6.s390x.rpm x86_64: ruby-2.0.0.648-34.el7_6.x86_64.rpm ruby-debuginfo-2.0.0.648-34.el7_6.i686.rpm ruby-debuginfo-2.0.0.648-34.el7_6.x86_64.rpm ruby-libs-2.0.0.648-34.el7_6.i686.rpm ruby-libs-2.0.0.648-34.el7_6.x86_64.rpm rubygem-bigdecimal-1.2.0-34.el7_6.x86_64.rpm rubygem-io-console-0.4.2-34.el7_6.x86_64.rpm rubygem-json-1.7.7-34.el7_6.x86_64.rpm rubygem-psych-2.0.0-34.el7_6.x86_64.rpm Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7): Source: ruby-2.0.0.648-34.el7_6.src.rpm aarch64: ruby-2.0.0.648-34.el7_6.aarch64.rpm ruby-debuginfo-2.0.0.648-34.el7_6.aarch64.rpm ruby-libs-2.0.0.648-34.el7_6.aarch64.rpm rubygem-bigdecimal-1.2.0-34.el7_6.aarch64.rpm rubygem-io-console-0.4.2-34.el7_6.aarch64.rpm rubygem-json-1.7.7-34.el7_6.aarch64.rpm rubygem-psych-2.0.0-34.el7_6.aarch64.rpm noarch: ruby-irb-2.0.0.648-34.el7_6.noarch.rpm rubygem-rdoc-4.0.0-34.el7_6.noarch.rpm rubygems-2.0.14.1-34.el7_6.noarch.rpm ppc64le: ruby-2.0.0.648-34.el7_6.ppc64le.rpm ruby-debuginfo-2.0.0.648-34.el7_6.ppc64le.rpm ruby-libs-2.0.0.648-34.el7_6.ppc64le.rpm rubygem-bigdecimal-1.2.0-34.el7_6.ppc64le.rpm rubygem-io-console-0.4.2-34.el7_6.ppc64le.rpm rubygem-json-1.7.7-34.el7_6.ppc64le.rpm rubygem-psych-2.0.0-34.el7_6.ppc64le.rpm s390x: ruby-2.0.0.648-34.el7_6.s390x.rpm ruby-debuginfo-2.0.0.648-34.el7_6.s390.rpm ruby-debuginfo-2.0.0.648-34.el7_6.s390x.rpm ruby-libs-2.0.0.648-34.el7_6.s390.rpm ruby-libs-2.0.0.648-34.el7_6.s390x.rpm rubygem-bigdecimal-1.2.0-34.el7_6.s390x.rpm rubygem-io-console-0.4.2-34.el7_6.s390x.rpm rubygem-json-1.7.7-34.el7_6.s390x.rpm rubygem-psych-2.0.0-34.el7_6.s390x.rpm Red Hat Enterprise Linux Server Optional (v. 7): noarch: ruby-doc-2.0.0.648-34.el7_6.noarch.rpm rubygem-minitest-4.3.2-34.el7_6.noarch.rpm rubygem-rake-0.9.6-34.el7_6.noarch.rpm rubygems-devel-2.0.14.1-34.el7_6.noarch.rpm ppc64: ruby-debuginfo-2.0.0.648-34.el7_6.ppc64.rpm ruby-devel-2.0.0.648-34.el7_6.ppc64.rpm ruby-tcltk-2.0.0.648-34.el7_6.ppc64.rpm ppc64le: ruby-debuginfo-2.0.0.648-34.el7_6.ppc64le.rpm ruby-devel-2.0.0.648-34.el7_6.ppc64le.rpm ruby-tcltk-2.0.0.648-34.el7_6.ppc64le.rpm s390x: ruby-debuginfo-2.0.0.648-34.el7_6.s390x.rpm ruby-devel-2.0.0.648-34.el7_6.s390x.rpm ruby-tcltk-2.0.0.648-34.el7_6.s390x.rpm x86_64: ruby-debuginfo-2.0.0.648-34.el7_6.x86_64.rpm ruby-devel-2.0.0.648-34.el7_6.x86_64.rpm ruby-tcltk-2.0.0.648-34.el7_6.x86_64.rpm Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7): aarch64: ruby-debuginfo-2.0.0.648-34.el7_6.aarch64.rpm ruby-devel-2.0.0.648-34.el7_6.aarch64.rpm ruby-tcltk-2.0.0.648-34.el7_6.aarch64.rpm noarch: ruby-doc-2.0.0.648-34.el7_6.noarch.rpm rubygem-minitest-4.3.2-34.el7_6.noarch.rpm rubygem-rake-0.9.6-34.el7_6.noarch.rpm rubygems-devel-2.0.14.1-34.el7_6.noarch.rpm ppc64le: ruby-debuginfo-2.0.0.648-34.el7_6.ppc64le.rpm ruby-devel-2.0.0.648-34.el7_6.ppc64le.rpm ruby-tcltk-2.0.0.648-34.el7_6.ppc64le.rpm s390x: ruby-debuginfo-2.0.0.648-34.el7_6.s390x.rpm ruby-devel-2.0.0.648-34.el7_6.s390x.rpm ruby-tcltk-2.0.0.648-34.el7_6.s390x.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: ruby-2.0.0.648-34.el7_6.src.rpm noarch: ruby-irb-2.0.0.648-34.el7_6.noarch.rpm rubygem-rdoc-4.0.0-34.el7_6.noarch.rpm rubygems-2.0.14.1-34.el7_6.noarch.rpm x86_64: ruby-2.0.0.648-34.el7_6.x86_64.rpm ruby-debuginfo-2.0.0.648-34.el7_6.i686.rpm ruby-debuginfo-2.0.0.648-34.el7_6.x86_64.rpm ruby-libs-2.0.0.648-34.el7_6.i686.rpm ruby-libs-2.0.0.648-34.el7_6.x86_64.rpm rubygem-bigdecimal-1.2.0-34.el7_6.x86_64.rpm rubygem-io-console-0.4.2-34.el7_6.x86_64.rpm rubygem-json-1.7.7-34.el7_6.x86_64.rpm rubygem-psych-2.0.0-34.el7_6.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): noarch: ruby-doc-2.0.0.648-34.el7_6.noarch.rpm rubygem-minitest-4.3.2-34.el7_6.noarch.rpm rubygem-rake-0.9.6-34.el7_6.noarch.rpm rubygems-devel-2.0.14.1-34.el7_6.noarch.rpm x86_64: ruby-debuginfo-2.0.0.648-34.el7_6.x86_64.rpm ruby-devel-2.0.0.648-34.el7_6.x86_64.rpm ruby-tcltk-2.0.0.648-34.el7_6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-16395 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXABmzdzjgjWX9erEAQjiSQ/+KVxtPs3QLLL7VnqH4gUeF76ubt0ti7v2 kKNJiwqkMfzr6iFgB96gCNz6BIwmYvibKHrVlynfwJcoqQmAnwyCtWE/mpgl+4Dx zR+tbUF/P6hc28GveE4yIkKi6Q+CK/dsxld7npwETed2rwFLFrapugz21zvcV2x+ YZgw6qQU6HWXeHTf3+eNIBKOCgLWbRuAFmDJp9MuBt5GrYNJoi7ArkSNwLNz6lQC t+0QTk9t1rcF+W8A/5BR5rQ7lK//cZnT1Q2qlqn6rWhCpHuJ5UhIv9a+X/kOlbKf rUBzifVhl+FwIGPhUoDMXdmozAPWQXg+fLegEmw4nEyQxV+/vAQXPYYr7cjeHKLk pki2cmJEg6mceeVv0lFXIWkePX+BHyvjsfCAxZmkXhscyHC9AFagAZ8fA+PoIaIY Ax0CYwhxkOmV4nWL32QYgsvVByS6s6+Sid4k6iv0VKM4+fZBmmW5pPTilXH3RusO SN8W7fOtl3lM8DW/hmwX/BxNjPYdZkeYcK7s9Wg8ySndvtH73U1BfMQV7Z6l/IHK worNjRzAomezNN4vzPyxrcTmov+/Yhoxu0wgLWavThES7eGrKU806YZcrn/dRx2L jM45lJ7vqAXZy91JT6u0kvD4ttjO6Y37pMfrvlJZ57gIDd5wX9Axo5Xqyu6tuBen T0r4kHU58ts= =9AWA - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: rh-ruby23-ruby security, bug fix, and enhancement update Advisory ID: RHSA-2018:3729-01 Product: Red Hat Software Collections Advisory URL: https://access.redhat.com/errata/RHSA-2018:3729 Issue date: 2018-11-29 CVE Names: CVE-2017-17742 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 CVE-2018-16395 CVE-2018-16396 CVE-2018-1000073 CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076 CVE-2018-1000077 CVE-2018-1000078 CVE-2018-1000079 ===================================================================== 1. Summary: An update for rh-ruby23-ruby is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 3. Description: Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. The following packages have been upgraded to a later upstream version: rh-ruby23-ruby (2.3.8), rh-ruby23-rubygems (2.5.2.3). (BZ#1650591) Security Fix(es): * ruby: OpenSSL::X509::Name equality check does not work correctly (CVE-2018-16395) * ruby: HTTP response splitting in WEBrick (CVE-2017-17742) * ruby: DoS by large request in WEBrick (CVE-2018-8777) * ruby: Buffer under-read in String#unpack (CVE-2018-8778) * ruby: Unintentional directory traversal by poisoned NULL byte in Dir (CVE-2018-8780) * ruby: Tainted flags are not propagated in Array#pack and String#unpack with some directives (CVE-2018-16396) * rubygems: Path traversal when writing to a symlinked basedir outside of the root (CVE-2018-1000073) * rubygems: Unsafe Object Deserialization Vulnerability in gem owner allowing arbitrary code execution on specially crafted YAML (CVE-2018-1000074) * rubygems: Improper verification of signatures in tarball allows to install mis-signed gem (CVE-2018-1000076) * rubygems: Missing URL validation on spec home attribute allows malicious gem to set an invalid homepage URL (CVE-2018-1000077) * rubygems: XSS vulnerability in homepage attribute when displayed via gem server (CVE-2018-1000078) * rubygems: Path traversal issue during gem installation allows to write to arbitrary filesystem locations (CVE-2018-1000079) * ruby: Unintentional file and directory creation with directory traversal in tempfile and tmpdir (CVE-2018-6914) * ruby: Unintentional socket creation by poisoned NULL byte in UNIXServer and UNIXSocket (CVE-2018-8779) * rubygems: Infinite loop vulnerability due to negative size in tar header causes Denial of Service (CVE-2018-1000075) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1547418 - CVE-2018-1000073 rubygems: Path traversal when writing to a symlinked basedir outside of the root 1547419 - CVE-2018-1000074 rubygems: Unsafe Object Deserialization Vulnerability in gem owner allowing arbitrary code execution on specially crafted YAML 1547420 - CVE-2018-1000075 rubygems: Infinite loop vulnerability due to negative size in tar header causes Denial of Service 1547421 - CVE-2018-1000076 rubygems: Improper verification of signatures in tarball allows to install mis-signed gem 1547422 - CVE-2018-1000077 rubygems: Missing URL validation on spec home attribute allows malicious gem to set an invalid homepage URL 1547425 - CVE-2018-1000078 rubygems: XSS vulnerability in homepage attribute when displayed via gem server 1547426 - CVE-2018-1000079 rubygems: Path traversal issue during gem installation allows to write to arbitrary filesystem locations 1561947 - CVE-2018-6914 ruby: Unintentional file and directory creation with directory traversal in tempfile and tmpdir 1561948 - CVE-2018-8779 ruby: Unintentional socket creation by poisoned NULL byte in UNIXServer and UNIXSocket 1561949 - CVE-2018-8780 ruby: Unintentional directory traversal by poisoned NULL byte in Dir 1561950 - CVE-2018-8777 ruby: DoS by large request in WEBrick 1561952 - CVE-2017-17742 ruby: HTTP response splitting in WEBrick 1561953 - CVE-2018-8778 ruby: Buffer under-read in String#unpack 1643086 - CVE-2018-16395 ruby: OpenSSL::X509::Name equality check does not work correctly 1643089 - CVE-2018-16396 ruby: Tainted flags are not propagated in Array#pack and String#unpack with some directives 1650591 - Rebase to the latest Ruby 2.3 point release [rhscl-3.2.z] 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6): Source: rh-ruby23-ruby-2.3.8-69.el6.src.rpm noarch: rh-ruby23-ruby-doc-2.3.8-69.el6.noarch.rpm rh-ruby23-ruby-irb-2.3.8-69.el6.noarch.rpm rh-ruby23-rubygem-minitest-5.8.5-69.el6.noarch.rpm rh-ruby23-rubygem-power_assert-0.2.6-69.el6.noarch.rpm rh-ruby23-rubygem-rake-10.4.2-69.el6.noarch.rpm rh-ruby23-rubygem-rdoc-4.2.1-69.el6.noarch.rpm rh-ruby23-rubygem-test-unit-3.1.5-69.el6.noarch.rpm rh-ruby23-rubygems-2.5.2.3-69.el6.noarch.rpm rh-ruby23-rubygems-devel-2.5.2.3-69.el6.noarch.rpm x86_64: rh-ruby23-ruby-2.3.8-69.el6.x86_64.rpm rh-ruby23-ruby-debuginfo-2.3.8-69.el6.x86_64.rpm rh-ruby23-ruby-devel-2.3.8-69.el6.x86_64.rpm rh-ruby23-ruby-libs-2.3.8-69.el6.x86_64.rpm rh-ruby23-ruby-tcltk-2.3.8-69.el6.x86_64.rpm rh-ruby23-rubygem-bigdecimal-1.2.8-69.el6.x86_64.rpm rh-ruby23-rubygem-did_you_mean-1.0.0-69.el6.x86_64.rpm rh-ruby23-rubygem-io-console-0.4.5-69.el6.x86_64.rpm rh-ruby23-rubygem-json-1.8.3.1-69.el6.x86_64.rpm rh-ruby23-rubygem-net-telnet-0.1.1-69.el6.x86_64.rpm rh-ruby23-rubygem-psych-2.1.0.1-69.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6): Source: rh-ruby23-ruby-2.3.8-69.el6.src.rpm noarch: rh-ruby23-ruby-doc-2.3.8-69.el6.noarch.rpm rh-ruby23-ruby-irb-2.3.8-69.el6.noarch.rpm rh-ruby23-rubygem-minitest-5.8.5-69.el6.noarch.rpm rh-ruby23-rubygem-power_assert-0.2.6-69.el6.noarch.rpm rh-ruby23-rubygem-rake-10.4.2-69.el6.noarch.rpm rh-ruby23-rubygem-rdoc-4.2.1-69.el6.noarch.rpm rh-ruby23-rubygem-test-unit-3.1.5-69.el6.noarch.rpm rh-ruby23-rubygems-2.5.2.3-69.el6.noarch.rpm rh-ruby23-rubygems-devel-2.5.2.3-69.el6.noarch.rpm x86_64: rh-ruby23-ruby-2.3.8-69.el6.x86_64.rpm rh-ruby23-ruby-debuginfo-2.3.8-69.el6.x86_64.rpm rh-ruby23-ruby-devel-2.3.8-69.el6.x86_64.rpm rh-ruby23-ruby-libs-2.3.8-69.el6.x86_64.rpm rh-ruby23-ruby-tcltk-2.3.8-69.el6.x86_64.rpm rh-ruby23-rubygem-bigdecimal-1.2.8-69.el6.x86_64.rpm rh-ruby23-rubygem-did_you_mean-1.0.0-69.el6.x86_64.rpm rh-ruby23-rubygem-io-console-0.4.5-69.el6.x86_64.rpm rh-ruby23-rubygem-json-1.8.3.1-69.el6.x86_64.rpm rh-ruby23-rubygem-net-telnet-0.1.1-69.el6.x86_64.rpm rh-ruby23-rubygem-psych-2.1.0.1-69.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-ruby23-ruby-2.3.8-69.el7.src.rpm noarch: rh-ruby23-ruby-doc-2.3.8-69.el7.noarch.rpm rh-ruby23-ruby-irb-2.3.8-69.el7.noarch.rpm rh-ruby23-rubygem-minitest-5.8.5-69.el7.noarch.rpm rh-ruby23-rubygem-power_assert-0.2.6-69.el7.noarch.rpm rh-ruby23-rubygem-rake-10.4.2-69.el7.noarch.rpm rh-ruby23-rubygem-rdoc-4.2.1-69.el7.noarch.rpm rh-ruby23-rubygem-test-unit-3.1.5-69.el7.noarch.rpm rh-ruby23-rubygems-2.5.2.3-69.el7.noarch.rpm rh-ruby23-rubygems-devel-2.5.2.3-69.el7.noarch.rpm x86_64: rh-ruby23-ruby-2.3.8-69.el7.x86_64.rpm rh-ruby23-ruby-debuginfo-2.3.8-69.el7.x86_64.rpm rh-ruby23-ruby-devel-2.3.8-69.el7.x86_64.rpm rh-ruby23-ruby-libs-2.3.8-69.el7.x86_64.rpm rh-ruby23-ruby-tcltk-2.3.8-69.el7.x86_64.rpm rh-ruby23-rubygem-bigdecimal-1.2.8-69.el7.x86_64.rpm rh-ruby23-rubygem-did_you_mean-1.0.0-69.el7.x86_64.rpm rh-ruby23-rubygem-io-console-0.4.5-69.el7.x86_64.rpm rh-ruby23-rubygem-json-1.8.3.1-69.el7.x86_64.rpm rh-ruby23-rubygem-net-telnet-0.1.1-69.el7.x86_64.rpm rh-ruby23-rubygem-psych-2.1.0.1-69.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4): Source: rh-ruby23-ruby-2.3.8-69.el7.src.rpm noarch: rh-ruby23-ruby-doc-2.3.8-69.el7.noarch.rpm rh-ruby23-ruby-irb-2.3.8-69.el7.noarch.rpm rh-ruby23-rubygem-minitest-5.8.5-69.el7.noarch.rpm rh-ruby23-rubygem-power_assert-0.2.6-69.el7.noarch.rpm rh-ruby23-rubygem-rake-10.4.2-69.el7.noarch.rpm rh-ruby23-rubygem-rdoc-4.2.1-69.el7.noarch.rpm rh-ruby23-rubygem-test-unit-3.1.5-69.el7.noarch.rpm rh-ruby23-rubygems-2.5.2.3-69.el7.noarch.rpm rh-ruby23-rubygems-devel-2.5.2.3-69.el7.noarch.rpm x86_64: rh-ruby23-ruby-2.3.8-69.el7.x86_64.rpm rh-ruby23-ruby-debuginfo-2.3.8-69.el7.x86_64.rpm rh-ruby23-ruby-devel-2.3.8-69.el7.x86_64.rpm rh-ruby23-ruby-libs-2.3.8-69.el7.x86_64.rpm rh-ruby23-ruby-tcltk-2.3.8-69.el7.x86_64.rpm rh-ruby23-rubygem-bigdecimal-1.2.8-69.el7.x86_64.rpm rh-ruby23-rubygem-did_you_mean-1.0.0-69.el7.x86_64.rpm rh-ruby23-rubygem-io-console-0.4.5-69.el7.x86_64.rpm rh-ruby23-rubygem-json-1.8.3.1-69.el7.x86_64.rpm rh-ruby23-rubygem-net-telnet-0.1.1-69.el7.x86_64.rpm rh-ruby23-rubygem-psych-2.1.0.1-69.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5): Source: rh-ruby23-ruby-2.3.8-69.el7.src.rpm noarch: rh-ruby23-ruby-doc-2.3.8-69.el7.noarch.rpm rh-ruby23-ruby-irb-2.3.8-69.el7.noarch.rpm rh-ruby23-rubygem-minitest-5.8.5-69.el7.noarch.rpm rh-ruby23-rubygem-power_assert-0.2.6-69.el7.noarch.rpm rh-ruby23-rubygem-rake-10.4.2-69.el7.noarch.rpm rh-ruby23-rubygem-rdoc-4.2.1-69.el7.noarch.rpm rh-ruby23-rubygem-test-unit-3.1.5-69.el7.noarch.rpm rh-ruby23-rubygems-2.5.2.3-69.el7.noarch.rpm rh-ruby23-rubygems-devel-2.5.2.3-69.el7.noarch.rpm x86_64: rh-ruby23-ruby-2.3.8-69.el7.x86_64.rpm rh-ruby23-ruby-debuginfo-2.3.8-69.el7.x86_64.rpm rh-ruby23-ruby-devel-2.3.8-69.el7.x86_64.rpm rh-ruby23-ruby-libs-2.3.8-69.el7.x86_64.rpm rh-ruby23-ruby-tcltk-2.3.8-69.el7.x86_64.rpm rh-ruby23-rubygem-bigdecimal-1.2.8-69.el7.x86_64.rpm rh-ruby23-rubygem-did_you_mean-1.0.0-69.el7.x86_64.rpm rh-ruby23-rubygem-io-console-0.4.5-69.el7.x86_64.rpm rh-ruby23-rubygem-json-1.8.3.1-69.el7.x86_64.rpm rh-ruby23-rubygem-net-telnet-0.1.1-69.el7.x86_64.rpm rh-ruby23-rubygem-psych-2.1.0.1-69.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6): Source: rh-ruby23-ruby-2.3.8-69.el7.src.rpm noarch: rh-ruby23-ruby-doc-2.3.8-69.el7.noarch.rpm rh-ruby23-ruby-irb-2.3.8-69.el7.noarch.rpm rh-ruby23-rubygem-minitest-5.8.5-69.el7.noarch.rpm rh-ruby23-rubygem-power_assert-0.2.6-69.el7.noarch.rpm rh-ruby23-rubygem-rake-10.4.2-69.el7.noarch.rpm rh-ruby23-rubygem-rdoc-4.2.1-69.el7.noarch.rpm rh-ruby23-rubygem-test-unit-3.1.5-69.el7.noarch.rpm rh-ruby23-rubygems-2.5.2.3-69.el7.noarch.rpm rh-ruby23-rubygems-devel-2.5.2.3-69.el7.noarch.rpm x86_64: rh-ruby23-ruby-2.3.8-69.el7.x86_64.rpm rh-ruby23-ruby-debuginfo-2.3.8-69.el7.x86_64.rpm rh-ruby23-ruby-devel-2.3.8-69.el7.x86_64.rpm rh-ruby23-ruby-libs-2.3.8-69.el7.x86_64.rpm rh-ruby23-ruby-tcltk-2.3.8-69.el7.x86_64.rpm rh-ruby23-rubygem-bigdecimal-1.2.8-69.el7.x86_64.rpm rh-ruby23-rubygem-did_you_mean-1.0.0-69.el7.x86_64.rpm rh-ruby23-rubygem-io-console-0.4.5-69.el7.x86_64.rpm rh-ruby23-rubygem-json-1.8.3.1-69.el7.x86_64.rpm rh-ruby23-rubygem-net-telnet-0.1.1-69.el7.x86_64.rpm rh-ruby23-rubygem-psych-2.1.0.1-69.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: rh-ruby23-ruby-2.3.8-69.el7.src.rpm noarch: rh-ruby23-ruby-doc-2.3.8-69.el7.noarch.rpm rh-ruby23-ruby-irb-2.3.8-69.el7.noarch.rpm rh-ruby23-rubygem-minitest-5.8.5-69.el7.noarch.rpm rh-ruby23-rubygem-power_assert-0.2.6-69.el7.noarch.rpm rh-ruby23-rubygem-rake-10.4.2-69.el7.noarch.rpm rh-ruby23-rubygem-rdoc-4.2.1-69.el7.noarch.rpm rh-ruby23-rubygem-test-unit-3.1.5-69.el7.noarch.rpm rh-ruby23-rubygems-2.5.2.3-69.el7.noarch.rpm rh-ruby23-rubygems-devel-2.5.2.3-69.el7.noarch.rpm x86_64: rh-ruby23-ruby-2.3.8-69.el7.x86_64.rpm rh-ruby23-ruby-debuginfo-2.3.8-69.el7.x86_64.rpm rh-ruby23-ruby-devel-2.3.8-69.el7.x86_64.rpm rh-ruby23-ruby-libs-2.3.8-69.el7.x86_64.rpm rh-ruby23-ruby-tcltk-2.3.8-69.el7.x86_64.rpm rh-ruby23-rubygem-bigdecimal-1.2.8-69.el7.x86_64.rpm rh-ruby23-rubygem-did_you_mean-1.0.0-69.el7.x86_64.rpm rh-ruby23-rubygem-io-console-0.4.5-69.el7.x86_64.rpm rh-ruby23-rubygem-json-1.8.3.1-69.el7.x86_64.rpm rh-ruby23-rubygem-net-telnet-0.1.1-69.el7.x86_64.rpm rh-ruby23-rubygem-psych-2.1.0.1-69.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2017-17742 https://access.redhat.com/security/cve/CVE-2018-6914 https://access.redhat.com/security/cve/CVE-2018-8777 https://access.redhat.com/security/cve/CVE-2018-8778 https://access.redhat.com/security/cve/CVE-2018-8779 https://access.redhat.com/security/cve/CVE-2018-8780 https://access.redhat.com/security/cve/CVE-2018-16395 https://access.redhat.com/security/cve/CVE-2018-16396 https://access.redhat.com/security/cve/CVE-2018-1000073 https://access.redhat.com/security/cve/CVE-2018-1000074 https://access.redhat.com/security/cve/CVE-2018-1000075 https://access.redhat.com/security/cve/CVE-2018-1000076 https://access.redhat.com/security/cve/CVE-2018-1000077 https://access.redhat.com/security/cve/CVE-2018-1000078 https://access.redhat.com/security/cve/CVE-2018-1000079 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW/+32dzjgjWX9erEAQjkHg//Q5qOX6tHjNsaDtg/8OuapkfyTgkL+k6Z HfoRyjJI3i3eKO2gskZSdWbkDYddpjJVKntLxOZth8NFa5O4MT03gyg7jbeZnXBC LyL5yfDQhJPH0UnRsAPbdym4SrPMSNox37sF7tk8VAbf8K7QEW2PukEOEhb+v9PC xzIOg1H7gpf/tcvubmwUzgX9AoDgVfRn24gMYYw7AfqI/Dm/O7exIAuCHCeqCHXc nK0KGSX7rImlUetTe6/FamM9oqeG+59a1c5KLdOtyAlsdf/fi2v9pQKwl3XkXZXl 7yT32sbaZPbju+B49gZzubncnHpkIgG2F51Ommiv9tt0QlUWhJXbZwxiuXL5kwxm N1ZcE9MqAt2nhrBSf+7Q8r2d39l0T69M1l+czhdpgBsnV3tBA/p/lILQz2NdUQTO VdsNSjRJ5VziCvj42KR0IE/ImNC8SrG6XZ0lcCTPseSE/O7SKP6UKR2clEPvvHjB oqt+FC61WTOD9T7dZ6Z6qZ57fp/VbB829FGJVo2R67CHHft2aGY1I/uztiffnpFU wrKBP4CyHhsipJbazI9e+1d1F3brRznbsAbKnpkoWuKKyFv1PP+uce1ai10GjEbE yUXXDpzHlflvofOtMBsKUB2NQ+C81Sz/dH7jmTjR4GBOPCBOnVbbDm7IhmOJw+Hk p7+QDKnpmoM= =8e8F - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: rh-ruby24-ruby security, bug fix, and enhancement update Advisory ID: RHSA-2018:3730-01 Product: Red Hat Software Collections Advisory URL: https://access.redhat.com/errata/RHSA-2018:3730 Issue date: 2018-11-29 CVE Names: CVE-2017-17742 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 CVE-2018-16395 CVE-2018-16396 CVE-2018-1000073 CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076 CVE-2018-1000077 CVE-2018-1000078 CVE-2018-1000079 ===================================================================== 1. Summary: An update for rh-ruby24-ruby is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 3. Description: Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. The following packages have been upgraded to a later upstream version: rh-ruby24-ruby (2.4.5), rh-ruby24-rubygems (2.6.14.3), rh-ruby24-rubygem-bigdecimal (1.3.2), rh-ruby24-rubygem-openssl (2.0.9). (BZ#1650590) Security Fix(es): * ruby: OpenSSL::X509::Name equality check does not work correctly (CVE-2018-16395) * ruby: HTTP response splitting in WEBrick (CVE-2017-17742) * ruby: DoS by large request in WEBrick (CVE-2018-8777) * ruby: Buffer under-read in String#unpack (CVE-2018-8778) * ruby: Unintentional directory traversal by poisoned NULL byte in Dir (CVE-2018-8780) * ruby: Tainted flags are not propagated in Array#pack and String#unpack with some directives (CVE-2018-16396) * rubygems: Path traversal when writing to a symlinked basedir outside of the root (CVE-2018-1000073) * rubygems: Unsafe Object Deserialization Vulnerability in gem owner allowing arbitrary code execution on specially crafted YAML (CVE-2018-1000074) * rubygems: Improper verification of signatures in tarball allows to install mis-signed gem (CVE-2018-1000076) * rubygems: Missing URL validation on spec home attribute allows malicious gem to set an invalid homepage URL (CVE-2018-1000077) * rubygems: XSS vulnerability in homepage attribute when displayed via gem server (CVE-2018-1000078) * rubygems: Path traversal issue during gem installation allows to write to arbitrary filesystem locations (CVE-2018-1000079) * ruby: Unintentional file and directory creation with directory traversal in tempfile and tmpdir (CVE-2018-6914) * ruby: Unintentional socket creation by poisoned NULL byte in UNIXServer and UNIXSocket (CVE-2018-8779) * rubygems: Infinite loop vulnerability due to negative size in tar header causes Denial of Service (CVE-2018-1000075) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1547418 - CVE-2018-1000073 rubygems: Path traversal when writing to a symlinked basedir outside of the root 1547419 - CVE-2018-1000074 rubygems: Unsafe Object Deserialization Vulnerability in gem owner allowing arbitrary code execution on specially crafted YAML 1547420 - CVE-2018-1000075 rubygems: Infinite loop vulnerability due to negative size in tar header causes Denial of Service 1547421 - CVE-2018-1000076 rubygems: Improper verification of signatures in tarball allows to install mis-signed gem 1547422 - CVE-2018-1000077 rubygems: Missing URL validation on spec home attribute allows malicious gem to set an invalid homepage URL 1547425 - CVE-2018-1000078 rubygems: XSS vulnerability in homepage attribute when displayed via gem server 1547426 - CVE-2018-1000079 rubygems: Path traversal issue during gem installation allows to write to arbitrary filesystem locations 1561947 - CVE-2018-6914 ruby: Unintentional file and directory creation with directory traversal in tempfile and tmpdir 1561948 - CVE-2018-8779 ruby: Unintentional socket creation by poisoned NULL byte in UNIXServer and UNIXSocket 1561949 - CVE-2018-8780 ruby: Unintentional directory traversal by poisoned NULL byte in Dir 1561950 - CVE-2018-8777 ruby: DoS by large request in WEBrick 1561952 - CVE-2017-17742 ruby: HTTP response splitting in WEBrick 1561953 - CVE-2018-8778 ruby: Buffer under-read in String#unpack 1643086 - CVE-2018-16395 ruby: OpenSSL::X509::Name equality check does not work correctly 1643089 - CVE-2018-16396 ruby: Tainted flags are not propagated in Array#pack and String#unpack with some directives 1650590 - Rebase to the latest Ruby 2.4 point release [rhscl-3.2.z] 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6): Source: rh-ruby24-ruby-2.4.5-91.el6.src.rpm noarch: rh-ruby24-ruby-doc-2.4.5-91.el6.noarch.rpm rh-ruby24-ruby-irb-2.4.5-91.el6.noarch.rpm rh-ruby24-rubygem-minitest-5.10.1-91.el6.noarch.rpm rh-ruby24-rubygem-power_assert-0.4.1-91.el6.noarch.rpm rh-ruby24-rubygem-rake-12.0.0-91.el6.noarch.rpm rh-ruby24-rubygem-rdoc-5.0.0-91.el6.noarch.rpm rh-ruby24-rubygem-test-unit-3.2.3-91.el6.noarch.rpm rh-ruby24-rubygem-xmlrpc-0.2.1-91.el6.noarch.rpm rh-ruby24-rubygems-2.6.14.3-91.el6.noarch.rpm rh-ruby24-rubygems-devel-2.6.14.3-91.el6.noarch.rpm x86_64: rh-ruby24-ruby-2.4.5-91.el6.x86_64.rpm rh-ruby24-ruby-debuginfo-2.4.5-91.el6.x86_64.rpm rh-ruby24-ruby-devel-2.4.5-91.el6.x86_64.rpm rh-ruby24-ruby-libs-2.4.5-91.el6.x86_64.rpm rh-ruby24-rubygem-bigdecimal-1.3.2-91.el6.x86_64.rpm rh-ruby24-rubygem-did_you_mean-1.1.0-91.el6.x86_64.rpm rh-ruby24-rubygem-io-console-0.4.6-91.el6.x86_64.rpm rh-ruby24-rubygem-json-2.0.4-91.el6.x86_64.rpm rh-ruby24-rubygem-net-telnet-0.1.1-91.el6.x86_64.rpm rh-ruby24-rubygem-openssl-2.0.9-91.el6.x86_64.rpm rh-ruby24-rubygem-psych-2.2.2-91.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6): Source: rh-ruby24-ruby-2.4.5-91.el6.src.rpm noarch: rh-ruby24-ruby-doc-2.4.5-91.el6.noarch.rpm rh-ruby24-ruby-irb-2.4.5-91.el6.noarch.rpm rh-ruby24-rubygem-minitest-5.10.1-91.el6.noarch.rpm rh-ruby24-rubygem-power_assert-0.4.1-91.el6.noarch.rpm rh-ruby24-rubygem-rake-12.0.0-91.el6.noarch.rpm rh-ruby24-rubygem-rdoc-5.0.0-91.el6.noarch.rpm rh-ruby24-rubygem-test-unit-3.2.3-91.el6.noarch.rpm rh-ruby24-rubygem-xmlrpc-0.2.1-91.el6.noarch.rpm rh-ruby24-rubygems-2.6.14.3-91.el6.noarch.rpm rh-ruby24-rubygems-devel-2.6.14.3-91.el6.noarch.rpm x86_64: rh-ruby24-ruby-2.4.5-91.el6.x86_64.rpm rh-ruby24-ruby-debuginfo-2.4.5-91.el6.x86_64.rpm rh-ruby24-ruby-devel-2.4.5-91.el6.x86_64.rpm rh-ruby24-ruby-libs-2.4.5-91.el6.x86_64.rpm rh-ruby24-rubygem-bigdecimal-1.3.2-91.el6.x86_64.rpm rh-ruby24-rubygem-did_you_mean-1.1.0-91.el6.x86_64.rpm rh-ruby24-rubygem-io-console-0.4.6-91.el6.x86_64.rpm rh-ruby24-rubygem-json-2.0.4-91.el6.x86_64.rpm rh-ruby24-rubygem-net-telnet-0.1.1-91.el6.x86_64.rpm rh-ruby24-rubygem-openssl-2.0.9-91.el6.x86_64.rpm rh-ruby24-rubygem-psych-2.2.2-91.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-ruby24-ruby-2.4.5-91.el7.src.rpm noarch: rh-ruby24-ruby-doc-2.4.5-91.el7.noarch.rpm rh-ruby24-ruby-irb-2.4.5-91.el7.noarch.rpm rh-ruby24-rubygem-minitest-5.10.1-91.el7.noarch.rpm rh-ruby24-rubygem-power_assert-0.4.1-91.el7.noarch.rpm rh-ruby24-rubygem-rake-12.0.0-91.el7.noarch.rpm rh-ruby24-rubygem-rdoc-5.0.0-91.el7.noarch.rpm rh-ruby24-rubygem-test-unit-3.2.3-91.el7.noarch.rpm rh-ruby24-rubygem-xmlrpc-0.2.1-91.el7.noarch.rpm rh-ruby24-rubygems-2.6.14.3-91.el7.noarch.rpm rh-ruby24-rubygems-devel-2.6.14.3-91.el7.noarch.rpm x86_64: rh-ruby24-ruby-2.4.5-91.el7.x86_64.rpm rh-ruby24-ruby-debuginfo-2.4.5-91.el7.x86_64.rpm rh-ruby24-ruby-devel-2.4.5-91.el7.x86_64.rpm rh-ruby24-ruby-libs-2.4.5-91.el7.x86_64.rpm rh-ruby24-rubygem-bigdecimal-1.3.2-91.el7.x86_64.rpm rh-ruby24-rubygem-did_you_mean-1.1.0-91.el7.x86_64.rpm rh-ruby24-rubygem-io-console-0.4.6-91.el7.x86_64.rpm rh-ruby24-rubygem-json-2.0.4-91.el7.x86_64.rpm rh-ruby24-rubygem-net-telnet-0.1.1-91.el7.x86_64.rpm rh-ruby24-rubygem-openssl-2.0.9-91.el7.x86_64.rpm rh-ruby24-rubygem-psych-2.2.2-91.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4): Source: rh-ruby24-ruby-2.4.5-91.el7.src.rpm noarch: rh-ruby24-ruby-doc-2.4.5-91.el7.noarch.rpm rh-ruby24-ruby-irb-2.4.5-91.el7.noarch.rpm rh-ruby24-rubygem-minitest-5.10.1-91.el7.noarch.rpm rh-ruby24-rubygem-power_assert-0.4.1-91.el7.noarch.rpm rh-ruby24-rubygem-rake-12.0.0-91.el7.noarch.rpm rh-ruby24-rubygem-rdoc-5.0.0-91.el7.noarch.rpm rh-ruby24-rubygem-test-unit-3.2.3-91.el7.noarch.rpm rh-ruby24-rubygem-xmlrpc-0.2.1-91.el7.noarch.rpm rh-ruby24-rubygems-2.6.14.3-91.el7.noarch.rpm rh-ruby24-rubygems-devel-2.6.14.3-91.el7.noarch.rpm x86_64: rh-ruby24-ruby-2.4.5-91.el7.x86_64.rpm rh-ruby24-ruby-debuginfo-2.4.5-91.el7.x86_64.rpm rh-ruby24-ruby-devel-2.4.5-91.el7.x86_64.rpm rh-ruby24-ruby-libs-2.4.5-91.el7.x86_64.rpm rh-ruby24-rubygem-bigdecimal-1.3.2-91.el7.x86_64.rpm rh-ruby24-rubygem-did_you_mean-1.1.0-91.el7.x86_64.rpm rh-ruby24-rubygem-io-console-0.4.6-91.el7.x86_64.rpm rh-ruby24-rubygem-json-2.0.4-91.el7.x86_64.rpm rh-ruby24-rubygem-net-telnet-0.1.1-91.el7.x86_64.rpm rh-ruby24-rubygem-openssl-2.0.9-91.el7.x86_64.rpm rh-ruby24-rubygem-psych-2.2.2-91.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5): Source: rh-ruby24-ruby-2.4.5-91.el7.src.rpm noarch: rh-ruby24-ruby-doc-2.4.5-91.el7.noarch.rpm rh-ruby24-ruby-irb-2.4.5-91.el7.noarch.rpm rh-ruby24-rubygem-minitest-5.10.1-91.el7.noarch.rpm rh-ruby24-rubygem-power_assert-0.4.1-91.el7.noarch.rpm rh-ruby24-rubygem-rake-12.0.0-91.el7.noarch.rpm rh-ruby24-rubygem-rdoc-5.0.0-91.el7.noarch.rpm rh-ruby24-rubygem-test-unit-3.2.3-91.el7.noarch.rpm rh-ruby24-rubygem-xmlrpc-0.2.1-91.el7.noarch.rpm rh-ruby24-rubygems-2.6.14.3-91.el7.noarch.rpm rh-ruby24-rubygems-devel-2.6.14.3-91.el7.noarch.rpm x86_64: rh-ruby24-ruby-2.4.5-91.el7.x86_64.rpm rh-ruby24-ruby-debuginfo-2.4.5-91.el7.x86_64.rpm rh-ruby24-ruby-devel-2.4.5-91.el7.x86_64.rpm rh-ruby24-ruby-libs-2.4.5-91.el7.x86_64.rpm rh-ruby24-rubygem-bigdecimal-1.3.2-91.el7.x86_64.rpm rh-ruby24-rubygem-did_you_mean-1.1.0-91.el7.x86_64.rpm rh-ruby24-rubygem-io-console-0.4.6-91.el7.x86_64.rpm rh-ruby24-rubygem-json-2.0.4-91.el7.x86_64.rpm rh-ruby24-rubygem-net-telnet-0.1.1-91.el7.x86_64.rpm rh-ruby24-rubygem-openssl-2.0.9-91.el7.x86_64.rpm rh-ruby24-rubygem-psych-2.2.2-91.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6): Source: rh-ruby24-ruby-2.4.5-91.el7.src.rpm noarch: rh-ruby24-ruby-doc-2.4.5-91.el7.noarch.rpm rh-ruby24-ruby-irb-2.4.5-91.el7.noarch.rpm rh-ruby24-rubygem-minitest-5.10.1-91.el7.noarch.rpm rh-ruby24-rubygem-power_assert-0.4.1-91.el7.noarch.rpm rh-ruby24-rubygem-rake-12.0.0-91.el7.noarch.rpm rh-ruby24-rubygem-rdoc-5.0.0-91.el7.noarch.rpm rh-ruby24-rubygem-test-unit-3.2.3-91.el7.noarch.rpm rh-ruby24-rubygem-xmlrpc-0.2.1-91.el7.noarch.rpm rh-ruby24-rubygems-2.6.14.3-91.el7.noarch.rpm rh-ruby24-rubygems-devel-2.6.14.3-91.el7.noarch.rpm x86_64: rh-ruby24-ruby-2.4.5-91.el7.x86_64.rpm rh-ruby24-ruby-debuginfo-2.4.5-91.el7.x86_64.rpm rh-ruby24-ruby-devel-2.4.5-91.el7.x86_64.rpm rh-ruby24-ruby-libs-2.4.5-91.el7.x86_64.rpm rh-ruby24-rubygem-bigdecimal-1.3.2-91.el7.x86_64.rpm rh-ruby24-rubygem-did_you_mean-1.1.0-91.el7.x86_64.rpm rh-ruby24-rubygem-io-console-0.4.6-91.el7.x86_64.rpm rh-ruby24-rubygem-json-2.0.4-91.el7.x86_64.rpm rh-ruby24-rubygem-net-telnet-0.1.1-91.el7.x86_64.rpm rh-ruby24-rubygem-openssl-2.0.9-91.el7.x86_64.rpm rh-ruby24-rubygem-psych-2.2.2-91.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: rh-ruby24-ruby-2.4.5-91.el7.src.rpm noarch: rh-ruby24-ruby-doc-2.4.5-91.el7.noarch.rpm rh-ruby24-ruby-irb-2.4.5-91.el7.noarch.rpm rh-ruby24-rubygem-minitest-5.10.1-91.el7.noarch.rpm rh-ruby24-rubygem-power_assert-0.4.1-91.el7.noarch.rpm rh-ruby24-rubygem-rake-12.0.0-91.el7.noarch.rpm rh-ruby24-rubygem-rdoc-5.0.0-91.el7.noarch.rpm rh-ruby24-rubygem-test-unit-3.2.3-91.el7.noarch.rpm rh-ruby24-rubygem-xmlrpc-0.2.1-91.el7.noarch.rpm rh-ruby24-rubygems-2.6.14.3-91.el7.noarch.rpm rh-ruby24-rubygems-devel-2.6.14.3-91.el7.noarch.rpm x86_64: rh-ruby24-ruby-2.4.5-91.el7.x86_64.rpm rh-ruby24-ruby-debuginfo-2.4.5-91.el7.x86_64.rpm rh-ruby24-ruby-devel-2.4.5-91.el7.x86_64.rpm rh-ruby24-ruby-libs-2.4.5-91.el7.x86_64.rpm rh-ruby24-rubygem-bigdecimal-1.3.2-91.el7.x86_64.rpm rh-ruby24-rubygem-did_you_mean-1.1.0-91.el7.x86_64.rpm rh-ruby24-rubygem-io-console-0.4.6-91.el7.x86_64.rpm rh-ruby24-rubygem-json-2.0.4-91.el7.x86_64.rpm rh-ruby24-rubygem-net-telnet-0.1.1-91.el7.x86_64.rpm rh-ruby24-rubygem-openssl-2.0.9-91.el7.x86_64.rpm rh-ruby24-rubygem-psych-2.2.2-91.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2017-17742 https://access.redhat.com/security/cve/CVE-2018-6914 https://access.redhat.com/security/cve/CVE-2018-8777 https://access.redhat.com/security/cve/CVE-2018-8778 https://access.redhat.com/security/cve/CVE-2018-8779 https://access.redhat.com/security/cve/CVE-2018-8780 https://access.redhat.com/security/cve/CVE-2018-16395 https://access.redhat.com/security/cve/CVE-2018-16396 https://access.redhat.com/security/cve/CVE-2018-1000073 https://access.redhat.com/security/cve/CVE-2018-1000074 https://access.redhat.com/security/cve/CVE-2018-1000075 https://access.redhat.com/security/cve/CVE-2018-1000076 https://access.redhat.com/security/cve/CVE-2018-1000077 https://access.redhat.com/security/cve/CVE-2018-1000078 https://access.redhat.com/security/cve/CVE-2018-1000079 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW/+7B9zjgjWX9erEAQiBRw/+PTyylUgFYmfM8CDoFnt9jAM934sAZjDx U3FgydihQ4a8wPdZJnh4QZQnRF7AmcLCj83LPssCXvKN/q302CqXEiWLBStjLr7m z+9eKP9+fhvgRn0opu7ro48/wzq6Dl7bzU2hON9S1mya1QF5OvAFLfvc+rcdtm2r 6hANOad64RB4DBrKvi+elFGA9oOesaNt+9CrbS6WqOXs2hUSTfdkM+PfxAQPTbrT oKb+RxeP4hxm42C9CctG8j5k4eIry0ouzyua3k8ED5JFSB/iIv71ogTCAQxKSQWJ 6/WsS3bQzo/GIe1jUJQ0Ipq4ZCwHRXrlWeMuHlpO9Ubi72A/KX6mpXn+zb5bB6SC qJXVTDuZX8tCJIvQ2z34plzLSoqSzFzdst02IQWFRwBs86EDUlkQjaOwFEj33GRe f7mCxGwHH3A60fmvhFLl+4DBfhR4RLIAB0yRO8RAGjX7MHcEBzTFNpcGb7gH54hR +5pGNVvvr7ahGQ/ff943wno6IdM2vSat2cDLFsBe0B0vWOymFcD8qd+aagl3pnfZ qG7aJ7drJ7J22oXNaCPmgbBc19i2wGtd/1vTUVdelo8/r1JdSVU9PpzLnTzsL2qz l1KVE6MhOvNQWlvecSH/08lTnuzGllLvW49JKavbeAOal59vwqcCePhK2hbg4RBE nLjBtFopAA8= =/ldb - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: rh-ruby25-ruby security, bug fix, and enhancement update Advisory ID: RHSA-2018:3731-01 Product: Red Hat Software Collections Advisory URL: https://access.redhat.com/errata/RHSA-2018:3731 Issue date: 2018-11-29 CVE Names: CVE-2017-17742 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 CVE-2018-16395 CVE-2018-16396 CVE-2018-1000073 CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076 CVE-2018-1000077 CVE-2018-1000078 CVE-2018-1000079 ===================================================================== 1. Summary: An update for rh-ruby25-ruby is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - aarch64, noarch, ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4) - noarch, ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5) - noarch, ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6) - noarch, ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 3. Description: Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. The following packages have been upgraded to a later upstream version: rh-ruby25-ruby (2.5.3), rh-ruby25-rubygems (2.7.6), rh-ruby25-rubygem-openssl (2.1.2). (BZ#1650588) Security Fix(es): * ruby: OpenSSL::X509::Name equality check does not work correctly (CVE-2018-16395) * ruby: HTTP response splitting in WEBrick (CVE-2017-17742) * ruby: DoS by large request in WEBrick (CVE-2018-8777) * ruby: Buffer under-read in String#unpack (CVE-2018-8778) * ruby: Unintentional directory traversal by poisoned NULL byte in Dir (CVE-2018-8780) * ruby: Tainted flags are not propagated in Array#pack and String#unpack with some directives (CVE-2018-16396) * rubygems: Path traversal when writing to a symlinked basedir outside of the root (CVE-2018-1000073) * rubygems: Unsafe Object Deserialization Vulnerability in gem owner allowing arbitrary code execution on specially crafted YAML (CVE-2018-1000074) * rubygems: Improper verification of signatures in tarball allows to install mis-signed gem (CVE-2018-1000076) * rubygems: Missing URL validation on spec home attribute allows malicious gem to set an invalid homepage URL (CVE-2018-1000077) * rubygems: XSS vulnerability in homepage attribute when displayed via gem server (CVE-2018-1000078) * rubygems: Path traversal issue during gem installation allows to write to arbitrary filesystem locations (CVE-2018-1000079) * ruby: Unintentional file and directory creation with directory traversal in tempfile and tmpdir (CVE-2018-6914) * ruby: Unintentional socket creation by poisoned NULL byte in UNIXServer and UNIXSocket (CVE-2018-8779) * rubygems: Infinite loop vulnerability due to negative size in tar header causes Denial of Service (CVE-2018-1000075) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1547418 - CVE-2018-1000073 rubygems: Path traversal when writing to a symlinked basedir outside of the root 1547419 - CVE-2018-1000074 rubygems: Unsafe Object Deserialization Vulnerability in gem owner allowing arbitrary code execution on specially crafted YAML 1547420 - CVE-2018-1000075 rubygems: Infinite loop vulnerability due to negative size in tar header causes Denial of Service 1547421 - CVE-2018-1000076 rubygems: Improper verification of signatures in tarball allows to install mis-signed gem 1547422 - CVE-2018-1000077 rubygems: Missing URL validation on spec home attribute allows malicious gem to set an invalid homepage URL 1547425 - CVE-2018-1000078 rubygems: XSS vulnerability in homepage attribute when displayed via gem server 1547426 - CVE-2018-1000079 rubygems: Path traversal issue during gem installation allows to write to arbitrary filesystem locations 1561947 - CVE-2018-6914 ruby: Unintentional file and directory creation with directory traversal in tempfile and tmpdir 1561948 - CVE-2018-8779 ruby: Unintentional socket creation by poisoned NULL byte in UNIXServer and UNIXSocket 1561949 - CVE-2018-8780 ruby: Unintentional directory traversal by poisoned NULL byte in Dir 1561950 - CVE-2018-8777 ruby: DoS by large request in WEBrick 1561952 - CVE-2017-17742 ruby: HTTP response splitting in WEBrick 1561953 - CVE-2018-8778 ruby: Buffer under-read in String#unpack 1643086 - CVE-2018-16395 ruby: OpenSSL::X509::Name equality check does not work correctly 1643089 - CVE-2018-16396 ruby: Tainted flags are not propagated in Array#pack and String#unpack with some directives 1650588 - Rebase to the latest Ruby 2.5 point release [rhscl-3.2.z] 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-ruby25-ruby-2.5.3-6.el7.src.rpm aarch64: rh-ruby25-ruby-2.5.3-6.el7.aarch64.rpm rh-ruby25-ruby-debuginfo-2.5.3-6.el7.aarch64.rpm rh-ruby25-ruby-devel-2.5.3-6.el7.aarch64.rpm rh-ruby25-ruby-libs-2.5.3-6.el7.aarch64.rpm rh-ruby25-rubygem-bigdecimal-1.3.4-6.el7.aarch64.rpm rh-ruby25-rubygem-io-console-0.4.6-6.el7.aarch64.rpm rh-ruby25-rubygem-json-2.1.0-6.el7.aarch64.rpm rh-ruby25-rubygem-openssl-2.1.2-6.el7.aarch64.rpm rh-ruby25-rubygem-psych-3.0.2-6.el7.aarch64.rpm noarch: rh-ruby25-ruby-doc-2.5.3-6.el7.noarch.rpm rh-ruby25-ruby-irb-2.5.3-6.el7.noarch.rpm rh-ruby25-rubygem-did_you_mean-1.2.0-6.el7.noarch.rpm rh-ruby25-rubygem-minitest-5.10.3-6.el7.noarch.rpm rh-ruby25-rubygem-net-telnet-0.1.1-6.el7.noarch.rpm rh-ruby25-rubygem-power_assert-1.1.1-6.el7.noarch.rpm rh-ruby25-rubygem-rake-12.3.0-6.el7.noarch.rpm rh-ruby25-rubygem-rdoc-6.0.1-6.el7.noarch.rpm rh-ruby25-rubygem-test-unit-3.2.7-6.el7.noarch.rpm rh-ruby25-rubygem-xmlrpc-0.3.0-6.el7.noarch.rpm rh-ruby25-rubygems-2.7.6-6.el7.noarch.rpm rh-ruby25-rubygems-devel-2.7.6-6.el7.noarch.rpm ppc64le: rh-ruby25-ruby-2.5.3-6.el7.ppc64le.rpm rh-ruby25-ruby-debuginfo-2.5.3-6.el7.ppc64le.rpm rh-ruby25-ruby-devel-2.5.3-6.el7.ppc64le.rpm rh-ruby25-ruby-libs-2.5.3-6.el7.ppc64le.rpm rh-ruby25-rubygem-bigdecimal-1.3.4-6.el7.ppc64le.rpm rh-ruby25-rubygem-io-console-0.4.6-6.el7.ppc64le.rpm rh-ruby25-rubygem-json-2.1.0-6.el7.ppc64le.rpm rh-ruby25-rubygem-openssl-2.1.2-6.el7.ppc64le.rpm rh-ruby25-rubygem-psych-3.0.2-6.el7.ppc64le.rpm s390x: rh-ruby25-ruby-2.5.3-6.el7.s390x.rpm rh-ruby25-ruby-debuginfo-2.5.3-6.el7.s390x.rpm rh-ruby25-ruby-devel-2.5.3-6.el7.s390x.rpm rh-ruby25-ruby-libs-2.5.3-6.el7.s390x.rpm rh-ruby25-rubygem-bigdecimal-1.3.4-6.el7.s390x.rpm rh-ruby25-rubygem-io-console-0.4.6-6.el7.s390x.rpm rh-ruby25-rubygem-json-2.1.0-6.el7.s390x.rpm rh-ruby25-rubygem-openssl-2.1.2-6.el7.s390x.rpm rh-ruby25-rubygem-psych-3.0.2-6.el7.s390x.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-ruby25-ruby-2.5.3-6.el7.src.rpm aarch64: rh-ruby25-ruby-2.5.3-6.el7.aarch64.rpm rh-ruby25-ruby-debuginfo-2.5.3-6.el7.aarch64.rpm rh-ruby25-ruby-devel-2.5.3-6.el7.aarch64.rpm rh-ruby25-ruby-libs-2.5.3-6.el7.aarch64.rpm rh-ruby25-rubygem-bigdecimal-1.3.4-6.el7.aarch64.rpm rh-ruby25-rubygem-io-console-0.4.6-6.el7.aarch64.rpm rh-ruby25-rubygem-json-2.1.0-6.el7.aarch64.rpm rh-ruby25-rubygem-openssl-2.1.2-6.el7.aarch64.rpm rh-ruby25-rubygem-psych-3.0.2-6.el7.aarch64.rpm noarch: rh-ruby25-ruby-doc-2.5.3-6.el7.noarch.rpm rh-ruby25-ruby-irb-2.5.3-6.el7.noarch.rpm rh-ruby25-rubygem-did_you_mean-1.2.0-6.el7.noarch.rpm rh-ruby25-rubygem-minitest-5.10.3-6.el7.noarch.rpm rh-ruby25-rubygem-net-telnet-0.1.1-6.el7.noarch.rpm rh-ruby25-rubygem-power_assert-1.1.1-6.el7.noarch.rpm rh-ruby25-rubygem-rake-12.3.0-6.el7.noarch.rpm rh-ruby25-rubygem-rdoc-6.0.1-6.el7.noarch.rpm rh-ruby25-rubygem-test-unit-3.2.7-6.el7.noarch.rpm rh-ruby25-rubygem-xmlrpc-0.3.0-6.el7.noarch.rpm rh-ruby25-rubygems-2.7.6-6.el7.noarch.rpm rh-ruby25-rubygems-devel-2.7.6-6.el7.noarch.rpm ppc64le: rh-ruby25-ruby-2.5.3-6.el7.ppc64le.rpm rh-ruby25-ruby-debuginfo-2.5.3-6.el7.ppc64le.rpm rh-ruby25-ruby-devel-2.5.3-6.el7.ppc64le.rpm rh-ruby25-ruby-libs-2.5.3-6.el7.ppc64le.rpm rh-ruby25-rubygem-bigdecimal-1.3.4-6.el7.ppc64le.rpm rh-ruby25-rubygem-io-console-0.4.6-6.el7.ppc64le.rpm rh-ruby25-rubygem-json-2.1.0-6.el7.ppc64le.rpm rh-ruby25-rubygem-openssl-2.1.2-6.el7.ppc64le.rpm rh-ruby25-rubygem-psych-3.0.2-6.el7.ppc64le.rpm s390x: rh-ruby25-ruby-2.5.3-6.el7.s390x.rpm rh-ruby25-ruby-debuginfo-2.5.3-6.el7.s390x.rpm rh-ruby25-ruby-devel-2.5.3-6.el7.s390x.rpm rh-ruby25-ruby-libs-2.5.3-6.el7.s390x.rpm rh-ruby25-rubygem-bigdecimal-1.3.4-6.el7.s390x.rpm rh-ruby25-rubygem-io-console-0.4.6-6.el7.s390x.rpm rh-ruby25-rubygem-json-2.1.0-6.el7.s390x.rpm rh-ruby25-rubygem-openssl-2.1.2-6.el7.s390x.rpm rh-ruby25-rubygem-psych-3.0.2-6.el7.s390x.rpm x86_64: rh-ruby25-ruby-2.5.3-6.el7.x86_64.rpm rh-ruby25-ruby-debuginfo-2.5.3-6.el7.x86_64.rpm rh-ruby25-ruby-devel-2.5.3-6.el7.x86_64.rpm rh-ruby25-ruby-libs-2.5.3-6.el7.x86_64.rpm rh-ruby25-rubygem-bigdecimal-1.3.4-6.el7.x86_64.rpm rh-ruby25-rubygem-io-console-0.4.6-6.el7.x86_64.rpm rh-ruby25-rubygem-json-2.1.0-6.el7.x86_64.rpm rh-ruby25-rubygem-openssl-2.1.2-6.el7.x86_64.rpm rh-ruby25-rubygem-psych-3.0.2-6.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4): Source: rh-ruby25-ruby-2.5.3-6.el7.src.rpm noarch: rh-ruby25-ruby-doc-2.5.3-6.el7.noarch.rpm rh-ruby25-ruby-irb-2.5.3-6.el7.noarch.rpm rh-ruby25-rubygem-did_you_mean-1.2.0-6.el7.noarch.rpm rh-ruby25-rubygem-minitest-5.10.3-6.el7.noarch.rpm rh-ruby25-rubygem-net-telnet-0.1.1-6.el7.noarch.rpm rh-ruby25-rubygem-power_assert-1.1.1-6.el7.noarch.rpm rh-ruby25-rubygem-rake-12.3.0-6.el7.noarch.rpm rh-ruby25-rubygem-rdoc-6.0.1-6.el7.noarch.rpm rh-ruby25-rubygem-test-unit-3.2.7-6.el7.noarch.rpm rh-ruby25-rubygem-xmlrpc-0.3.0-6.el7.noarch.rpm rh-ruby25-rubygems-2.7.6-6.el7.noarch.rpm rh-ruby25-rubygems-devel-2.7.6-6.el7.noarch.rpm ppc64le: rh-ruby25-ruby-2.5.3-6.el7.ppc64le.rpm rh-ruby25-ruby-debuginfo-2.5.3-6.el7.ppc64le.rpm rh-ruby25-ruby-devel-2.5.3-6.el7.ppc64le.rpm rh-ruby25-ruby-libs-2.5.3-6.el7.ppc64le.rpm rh-ruby25-rubygem-bigdecimal-1.3.4-6.el7.ppc64le.rpm rh-ruby25-rubygem-io-console-0.4.6-6.el7.ppc64le.rpm rh-ruby25-rubygem-json-2.1.0-6.el7.ppc64le.rpm rh-ruby25-rubygem-openssl-2.1.2-6.el7.ppc64le.rpm rh-ruby25-rubygem-psych-3.0.2-6.el7.ppc64le.rpm s390x: rh-ruby25-ruby-2.5.3-6.el7.s390x.rpm rh-ruby25-ruby-debuginfo-2.5.3-6.el7.s390x.rpm rh-ruby25-ruby-devel-2.5.3-6.el7.s390x.rpm rh-ruby25-ruby-libs-2.5.3-6.el7.s390x.rpm rh-ruby25-rubygem-bigdecimal-1.3.4-6.el7.s390x.rpm rh-ruby25-rubygem-io-console-0.4.6-6.el7.s390x.rpm rh-ruby25-rubygem-json-2.1.0-6.el7.s390x.rpm rh-ruby25-rubygem-openssl-2.1.2-6.el7.s390x.rpm rh-ruby25-rubygem-psych-3.0.2-6.el7.s390x.rpm x86_64: rh-ruby25-ruby-2.5.3-6.el7.x86_64.rpm rh-ruby25-ruby-debuginfo-2.5.3-6.el7.x86_64.rpm rh-ruby25-ruby-devel-2.5.3-6.el7.x86_64.rpm rh-ruby25-ruby-libs-2.5.3-6.el7.x86_64.rpm rh-ruby25-rubygem-bigdecimal-1.3.4-6.el7.x86_64.rpm rh-ruby25-rubygem-io-console-0.4.6-6.el7.x86_64.rpm rh-ruby25-rubygem-json-2.1.0-6.el7.x86_64.rpm rh-ruby25-rubygem-openssl-2.1.2-6.el7.x86_64.rpm rh-ruby25-rubygem-psych-3.0.2-6.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5): Source: rh-ruby25-ruby-2.5.3-6.el7.src.rpm noarch: rh-ruby25-ruby-doc-2.5.3-6.el7.noarch.rpm rh-ruby25-ruby-irb-2.5.3-6.el7.noarch.rpm rh-ruby25-rubygem-did_you_mean-1.2.0-6.el7.noarch.rpm rh-ruby25-rubygem-minitest-5.10.3-6.el7.noarch.rpm rh-ruby25-rubygem-net-telnet-0.1.1-6.el7.noarch.rpm rh-ruby25-rubygem-power_assert-1.1.1-6.el7.noarch.rpm rh-ruby25-rubygem-rake-12.3.0-6.el7.noarch.rpm rh-ruby25-rubygem-rdoc-6.0.1-6.el7.noarch.rpm rh-ruby25-rubygem-test-unit-3.2.7-6.el7.noarch.rpm rh-ruby25-rubygem-xmlrpc-0.3.0-6.el7.noarch.rpm rh-ruby25-rubygems-2.7.6-6.el7.noarch.rpm rh-ruby25-rubygems-devel-2.7.6-6.el7.noarch.rpm ppc64le: rh-ruby25-ruby-2.5.3-6.el7.ppc64le.rpm rh-ruby25-ruby-debuginfo-2.5.3-6.el7.ppc64le.rpm rh-ruby25-ruby-devel-2.5.3-6.el7.ppc64le.rpm rh-ruby25-ruby-libs-2.5.3-6.el7.ppc64le.rpm rh-ruby25-rubygem-bigdecimal-1.3.4-6.el7.ppc64le.rpm rh-ruby25-rubygem-io-console-0.4.6-6.el7.ppc64le.rpm rh-ruby25-rubygem-json-2.1.0-6.el7.ppc64le.rpm rh-ruby25-rubygem-openssl-2.1.2-6.el7.ppc64le.rpm rh-ruby25-rubygem-psych-3.0.2-6.el7.ppc64le.rpm s390x: rh-ruby25-ruby-2.5.3-6.el7.s390x.rpm rh-ruby25-ruby-debuginfo-2.5.3-6.el7.s390x.rpm rh-ruby25-ruby-devel-2.5.3-6.el7.s390x.rpm rh-ruby25-ruby-libs-2.5.3-6.el7.s390x.rpm rh-ruby25-rubygem-bigdecimal-1.3.4-6.el7.s390x.rpm rh-ruby25-rubygem-io-console-0.4.6-6.el7.s390x.rpm rh-ruby25-rubygem-json-2.1.0-6.el7.s390x.rpm rh-ruby25-rubygem-openssl-2.1.2-6.el7.s390x.rpm rh-ruby25-rubygem-psych-3.0.2-6.el7.s390x.rpm x86_64: rh-ruby25-ruby-2.5.3-6.el7.x86_64.rpm rh-ruby25-ruby-debuginfo-2.5.3-6.el7.x86_64.rpm rh-ruby25-ruby-devel-2.5.3-6.el7.x86_64.rpm rh-ruby25-ruby-libs-2.5.3-6.el7.x86_64.rpm rh-ruby25-rubygem-bigdecimal-1.3.4-6.el7.x86_64.rpm rh-ruby25-rubygem-io-console-0.4.6-6.el7.x86_64.rpm rh-ruby25-rubygem-json-2.1.0-6.el7.x86_64.rpm rh-ruby25-rubygem-openssl-2.1.2-6.el7.x86_64.rpm rh-ruby25-rubygem-psych-3.0.2-6.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6): Source: rh-ruby25-ruby-2.5.3-6.el7.src.rpm noarch: rh-ruby25-ruby-doc-2.5.3-6.el7.noarch.rpm rh-ruby25-ruby-irb-2.5.3-6.el7.noarch.rpm rh-ruby25-rubygem-did_you_mean-1.2.0-6.el7.noarch.rpm rh-ruby25-rubygem-minitest-5.10.3-6.el7.noarch.rpm rh-ruby25-rubygem-net-telnet-0.1.1-6.el7.noarch.rpm rh-ruby25-rubygem-power_assert-1.1.1-6.el7.noarch.rpm rh-ruby25-rubygem-rake-12.3.0-6.el7.noarch.rpm rh-ruby25-rubygem-rdoc-6.0.1-6.el7.noarch.rpm rh-ruby25-rubygem-test-unit-3.2.7-6.el7.noarch.rpm rh-ruby25-rubygem-xmlrpc-0.3.0-6.el7.noarch.rpm rh-ruby25-rubygems-2.7.6-6.el7.noarch.rpm rh-ruby25-rubygems-devel-2.7.6-6.el7.noarch.rpm ppc64le: rh-ruby25-ruby-2.5.3-6.el7.ppc64le.rpm rh-ruby25-ruby-debuginfo-2.5.3-6.el7.ppc64le.rpm rh-ruby25-ruby-devel-2.5.3-6.el7.ppc64le.rpm rh-ruby25-ruby-libs-2.5.3-6.el7.ppc64le.rpm rh-ruby25-rubygem-bigdecimal-1.3.4-6.el7.ppc64le.rpm rh-ruby25-rubygem-io-console-0.4.6-6.el7.ppc64le.rpm rh-ruby25-rubygem-json-2.1.0-6.el7.ppc64le.rpm rh-ruby25-rubygem-openssl-2.1.2-6.el7.ppc64le.rpm rh-ruby25-rubygem-psych-3.0.2-6.el7.ppc64le.rpm s390x: rh-ruby25-ruby-2.5.3-6.el7.s390x.rpm rh-ruby25-ruby-debuginfo-2.5.3-6.el7.s390x.rpm rh-ruby25-ruby-devel-2.5.3-6.el7.s390x.rpm rh-ruby25-ruby-libs-2.5.3-6.el7.s390x.rpm rh-ruby25-rubygem-bigdecimal-1.3.4-6.el7.s390x.rpm rh-ruby25-rubygem-io-console-0.4.6-6.el7.s390x.rpm rh-ruby25-rubygem-json-2.1.0-6.el7.s390x.rpm rh-ruby25-rubygem-openssl-2.1.2-6.el7.s390x.rpm rh-ruby25-rubygem-psych-3.0.2-6.el7.s390x.rpm x86_64: rh-ruby25-ruby-2.5.3-6.el7.x86_64.rpm rh-ruby25-ruby-debuginfo-2.5.3-6.el7.x86_64.rpm rh-ruby25-ruby-devel-2.5.3-6.el7.x86_64.rpm rh-ruby25-ruby-libs-2.5.3-6.el7.x86_64.rpm rh-ruby25-rubygem-bigdecimal-1.3.4-6.el7.x86_64.rpm rh-ruby25-rubygem-io-console-0.4.6-6.el7.x86_64.rpm rh-ruby25-rubygem-json-2.1.0-6.el7.x86_64.rpm rh-ruby25-rubygem-openssl-2.1.2-6.el7.x86_64.rpm rh-ruby25-rubygem-psych-3.0.2-6.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: rh-ruby25-ruby-2.5.3-6.el7.src.rpm noarch: rh-ruby25-ruby-doc-2.5.3-6.el7.noarch.rpm rh-ruby25-ruby-irb-2.5.3-6.el7.noarch.rpm rh-ruby25-rubygem-did_you_mean-1.2.0-6.el7.noarch.rpm rh-ruby25-rubygem-minitest-5.10.3-6.el7.noarch.rpm rh-ruby25-rubygem-net-telnet-0.1.1-6.el7.noarch.rpm rh-ruby25-rubygem-power_assert-1.1.1-6.el7.noarch.rpm rh-ruby25-rubygem-rake-12.3.0-6.el7.noarch.rpm rh-ruby25-rubygem-rdoc-6.0.1-6.el7.noarch.rpm rh-ruby25-rubygem-test-unit-3.2.7-6.el7.noarch.rpm rh-ruby25-rubygem-xmlrpc-0.3.0-6.el7.noarch.rpm rh-ruby25-rubygems-2.7.6-6.el7.noarch.rpm rh-ruby25-rubygems-devel-2.7.6-6.el7.noarch.rpm x86_64: rh-ruby25-ruby-2.5.3-6.el7.x86_64.rpm rh-ruby25-ruby-debuginfo-2.5.3-6.el7.x86_64.rpm rh-ruby25-ruby-devel-2.5.3-6.el7.x86_64.rpm rh-ruby25-ruby-libs-2.5.3-6.el7.x86_64.rpm rh-ruby25-rubygem-bigdecimal-1.3.4-6.el7.x86_64.rpm rh-ruby25-rubygem-io-console-0.4.6-6.el7.x86_64.rpm rh-ruby25-rubygem-json-2.1.0-6.el7.x86_64.rpm rh-ruby25-rubygem-openssl-2.1.2-6.el7.x86_64.rpm rh-ruby25-rubygem-psych-3.0.2-6.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2017-17742 https://access.redhat.com/security/cve/CVE-2018-6914 https://access.redhat.com/security/cve/CVE-2018-8777 https://access.redhat.com/security/cve/CVE-2018-8778 https://access.redhat.com/security/cve/CVE-2018-8779 https://access.redhat.com/security/cve/CVE-2018-8780 https://access.redhat.com/security/cve/CVE-2018-16395 https://access.redhat.com/security/cve/CVE-2018-16396 https://access.redhat.com/security/cve/CVE-2018-1000073 https://access.redhat.com/security/cve/CVE-2018-1000074 https://access.redhat.com/security/cve/CVE-2018-1000075 https://access.redhat.com/security/cve/CVE-2018-1000076 https://access.redhat.com/security/cve/CVE-2018-1000077 https://access.redhat.com/security/cve/CVE-2018-1000078 https://access.redhat.com/security/cve/CVE-2018-1000079 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW/+91dzjgjWX9erEAQgsYg//T1k2uJAGrqAbQc6yVRTtLRed7taHfzae t9vQ53Ij0eiq7BeMtqsrD3sZkUxfYbBSub1BiF5erqT9pE+euJmn0Qp/cb8oCfry xMuk3yCd7b0VmhtGu3d9LqUGYRmH78a7SzyybXSOMtSVm1vrel9WMO1/LlgiiQOz UQW9E7POb1DJG/SEObxOdZB4sW92cEEqjJq/kgPOFPpaRVfyuDn1zVzEozJDKlFi 9oFflRYr7E/6cU3tB7ehqfRCfBKYdZ70JqKt8jCZHsHYDSvX37BMP2ubIFwyaD/M pKl6Dj29noHHUOw8ObQ7ynlWYnKsTq8OKpWRryGnyRiGAi50pXXJH1VhH4x5n9ZT f2PkI7PVBe2Ojo/lvbSa63VarF2mNpGMFBFWQQ5JxQ06kRjdb/b899P9vLHFVCQF Q1oBQ0UcdAJk+f6K0hTxKgk4y0E6c6S3YQk9qt6iy0KxgpYBp9qyND424Y/auNMK 2T4RB0himszRsozRVD8hb+CXE0NpGu1DA54MOcyjEcDPwxkuT7ZDUafEDWgIGpWg mM0R4vl4ftJJk7+lFZc8sTBtorwKojWWBGYzlieQKLZ9/CrEfARUyDnHK1hADBd9 1If3QvQmjTPeVGs4J39tPUY6lVJcZiQAI/9/XDs8dmZ+kQeVRj6ltSVACREBU+Io AYoGMZ7Wvdo= =tTyc - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXACB/GaOgq3Tt24GAQhnEA//Xrto84VTje1UbusiGHM4bnwLGZ3/wpNS /+/O3DSSilXxGKAOPg8+oIJwIiQqr1bMoUO451hwzmTXp3l32dESUR84Nm2GZTp0 SFd12r+qm2GngJYtV/BUDEsPsu+QVROZOejf0zx5aFl501S86X5E+46quuJC/fRH xoYvSI4qvB6aBOiV9lWOlGJ67N32qPwOXoVM8c1uIzE1GbeFomt9Cg7QKTJqSibB 1AvgX3eH0b3CvB0rAy8DWSCHjDASpxVFWCS8hn9LDPmsaLp54Blrfeo/rF48Q2vM DlhnuYWWCsnK7WBMJilnTtKXoiQH/BmV3TyMXi6ACdsEe1BB989mTtF/+XxheUrS q/gGViprOefXDZ2/ne1Etg1Rl944oXlWBf+RcnZwIZ6R+zzbXwJze0yxrymxRpie 6dxq6poj2tG8lNEcwbYTClBv3paWa12QDT87qVK3E50m25OU2OpQ3jDgSyeXl7AG 5TIlgeqL42ZHCVevk1fUS8EVgO1M64Vc0V66/+IbELm2D4aNPaM01cqFj5GToaNO Ssr7b0QNl9CjW9taI1ZoUZ2gjR3qncBZeP+DAQSg7jLldVXJI7/p7FvHaur2rAZY 4RTcRQQxpAMDssxgc8AgS/SaOzik/sVwfuAaJCNRU/JebkB5Oqjg4RV3ECy6tEIg XQD6srUZeW0= =F/+o -----END PGP SIGNATURE-----