FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-27 18:04:16 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
06ed6a49-bad4-11ec-9cfe-0800270512f4Ruby -- Buffer overrun in String-to-Float conversion

piao reports:

Due to a bug in an internal function that converts a String to a Float, some convertion methods like Kernel#Float and String#to_f could cause buffer over-read. A typical consequence is a process termination due to segmentation fault, but in a limited circumstances, it may be exploitable for illegal memory read.


Discovery 2022-04-12
Entry 2022-04-13
ruby
ge 2.7.0,1 lt 2.7.6,1

ge 3.0.0,1 lt 3.0.4,1

ge 3.1.0,1 lt 3.1.2,1

ge 3.2.0.p1,1 lt 3.2.0.p1_1,1

ruby27
ge 2.7.0,1 lt 2.7.6,1

ruby30
ge 3.0.0,1 lt 3.0.4,1

ruby31
ge 3.1.0,1 lt 3.1.2,1

ruby32
ge 3.2.0.p1,1 lt 3.2.0.p1_1,1

CVE-2022-28739
https://www.ruby-lang.org/en/news/2022/04/12/buffer-overrun-in-string-to-float-cve-2022-28739/
1daea60a-4719-11da-b5c6-0004614cc33druby -- vulnerability in the safe level settings

Ruby home page reports:

The Object Oriented Scripting Language Ruby supports safely executing an untrusted code with two mechanisms: safe level and taint flag on objects.

A vulnerability has been found that allows bypassing these mechanisms.

By using the vulnerability, arbitrary code can be executed beyond the restrictions specified in each safe level. Therefore, Ruby has to be updated on all systems that use safe level to execute untrusted code.


Discovery 2005-10-02
Entry 2005-10-27
ruby
ruby_static
gt 1.6.* lt 1.6.8.2004.07.28_2

gt 1.8.* lt 1.8.2_5

CVE-2005-2337
http://www.ruby-lang.org/en/20051003.html
2a093853-2495-11e2-b0c7-000d601460a4ruby -- $SAFE escaping vulnerability about Exception#to_s/NameError#to_s

The official ruby site reports:

Vulnerabilities found for Exception#to_s, NameError#to_s, and name_err_mesg_to_s() which is Ruby interpreter-internal API. A malicious user code can bypass $SAFE check by utilizing one of those security holes.

Ruby's $SAFE mechanism enables untrusted user codes to run in $SAFE >= 4 mode. This is a kind of sandboxing so some operations are restricted in that mode to protect other data outside the sandbox.

The problem found was around this mechanism. Exception#to_s, NameError#to_s, and name_err_mesg_to_s() interpreter-internal API was not correctly handling the $SAFE bits so a String object which is not tainted can destructively be marked as tainted using them. By using this an untrusted code in a sandbox can modify a formerly-untainted string destructively.

Ruby 1.8 once had a similar security issue. It fixed Exception#to_s and NameError#to_s, but name_err_mesg_to_str() issue survived previous security fix


Discovery 2012-08-21
Entry 2012-11-01
ruby
gt 1.8.7,1 lt 1.8.7.371,1

gt 1.9.3,1 lt 1.9.3.286,1

CVE-2012-4464
CVE-2012-4466
http://www.ruby-lang.org/en/news/2012/10/12/cve-2012-4464-cve-2012-4466/
https://access.redhat.com/security/cve/CVE-2012-4464/
2c6af5c3-4d36-11ec-a539-0800270512f4rubygem-cgi -- buffer overrun in CGI.escape_html

chamal reports:

A security vulnerability that causes buffer overflow when you pass a very large string (> 700 MB) to CGI.escape_html on a platform where long type takes 4 bytes, typically, Windows.


Discovery 2021-11-24
Entry 2021-11-24
ruby
ge 2.7.0,1 lt 2.7.5,1

ge 3.0.0,1 lt 3.0.3,1

ruby27
ge 2.7.0,1 lt 2.7.5,1

ruby30
ge 3.0.0,1 lt 3.0.3,1

rubygem-cgi
< 0.3.1

CVE-2021-41816
https://www.ruby-lang.org/en/news/2021/11/24/buffer-overrun-in-cgi-escape_html-cve-2021-41816/
34e0316a-aa91-11df-8c2e-001517289bf8ruby -- UTF-7 encoding XSS vulnerability in WEBrick

The official ruby site reports:

WEBrick have had a cross-site scripting vulnerability that allows an attacker to inject arbitrary script or HTML via a crafted URI. This does not affect user agents that strictly implement HTTP/1.1, however, some user agents do not.


Discovery 2010-08-16
Entry 2010-08-17
Modified 2010-08-20
ruby
ruby+pthreads
ruby+pthreads+oniguruma
ruby+oniguruma
ge 1.8.*,1 lt 1.8.7.248_3,1

ge 1.9.*,1 lt 1.9.1.430,1

40895
CVE-2010-0541
http://www.ruby-lang.org/en/news/2010/08/16/xss-in-webrick-cve-2010-0541/
3b50881d-1860-4721-aab1-503290e23f6cRuby -- unsafe tainted string vulnerability

Ruby developer reports:

There is an unsafe tainted string vulnerability in Fiddle and DL. This issue was originally reported and fixed with CVE-2009-5147 in DL, but reappeared after DL was reimplemented using Fiddle and libffi.

And, about DL, CVE-2009-5147 was fixed at Ruby 1.9.1, but not fixed at other branches, then rubies which bundled DL except Ruby 1.9.1 are still vulnerable.


Discovery 2015-12-16
Entry 2015-12-23
ruby
ge 2.0.0,1 lt 2.0.0.648,1

ge 2.1.0,1 lt 2.1.8,1

ge 2.2.0,1 lt 2.2.4,1

https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/
CVE-2015-7551
3decc87d-2498-11e2-b0c7-000d601460a4ruby -- Unintentional file creation caused by inserting an illegal NUL character

The official ruby site reports:

A vulnerability was found that file creation routines can create unintended files by strategically inserting NUL(s) in file paths. This vulnerability has been reported as CVE-2012-4522.

Ruby can handle arbitrary binary patterns as Strings, including NUL chars. On the other hand OSes and other libraries tend not. They usually treat a NUL as an End of String mark. So to interface them with Ruby, NUL chars should properly be avoided.

However methods like IO#open did not check the filename passed to them, and just passed those strings to lower layer routines. This led to create unintentional files.


Discovery 2012-10-12
Entry 2012-11-01
ruby
gt 1.9.3,1 lt 1.9.3.286,1

CVE-2012-4522
http://www.ruby-lang.org/en/news/2012/10/12/poisoned-NUL-byte-vulnerability/
https://access.redhat.com/security/cve/CVE-2012-4522/
4548ec97-4d38-11ec-a539-0800270512f4rubygem-cgi -- cookie prefix spoofing in CGI::Cookie.parse

ooooooo_q reports:

The old versions of CGI::Cookie.parse applied URL decoding to cookie names. An attacker could exploit this vulnerability to spoof security prefixes in cookie names, which may be able to trick a vulnerable application.

By this fix, CGI::Cookie.parse no longer decodes cookie names. Note that this is an incompatibility if cookie names that you are using include non-alphanumeric characters that are URL-encoded.


Discovery 2021-11-24
Entry 2021-11-24
ruby
ge 2.6.0,1 lt 2.6.9,1

ge 2.7.0,1 lt 2.7.5,1

ge 3.0.0,1 lt 3.0.3,1

ruby26
ge 2.6.0,1 lt 2.6.9,1

ruby27
ge 2.7.0,1 lt 2.7.5,1

ruby30
ge 3.0.0,1 lt 3.0.3,1

rubygem-cgi
< 0.3.1

CVE-2021-41819
https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/
53802164-3f7e-11dd-90ea-0019666436c2ruby -- multiple integer and buffer overflow vulnerabilities

The official ruby site reports:

Multiple vulnerabilities in Ruby may lead to a denial of service (DoS) condition or allow execution of arbitrary code.


Discovery 2008-06-19
Entry 2008-06-21
ruby
ruby+pthreads
ruby+pthreads+oniguruma
ruby+oniguruma
ge 1.8.*,1 lt 1.8.6.111_3,1

ruby_static
ge 1.8.*,1

CVE-2008-2726
http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/
594eb447-e398-11d9-a8bd-000cf18bbe54ruby -- arbitrary command execution on XMLRPC server

Nobuhiro IMAI reports:

the default value modification on Module#public_instance_methods (from false to true) breaks s.add_handler(XMLRPC::iPIMethods("sample"), MyHandler.new) style security protection.

This problem could allow a remote attacker to execute arbitrary commands on XMLRPC server of libruby.


Discovery 2005-06-22
Entry 2005-06-23
Modified 2005-11-06
ruby
ruby_static
gt 1.8.* lt 1.8.2_3

CVE-2005-1992
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/5237
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=315064
5e647ca3-2aea-11e2-b745-001fd0af1a4cruby -- Hash-flooding DoS vulnerability for ruby 1.9

The official ruby site reports:

Carefully crafted sequence of strings can cause a denial of service attack on the service that parses the sequence to create a Hash object by using the strings as keys. For instance, this vulnerability affects web application that parses the JSON data sent from untrusted entity.

This vulnerability is similar to CVS-2011-4815 for ruby 1.8.7. ruby 1.9 versions were using modified MurmurHash function but it's reported that there is a way to create sequence of strings that collide their hash values each other. This fix changes the Hash function of String object from the MurmurHash to SipHash 2-4.


Discovery 2012-11-10
Entry 2012-11-10
ruby
ge 1.9 lt 1.9.3.327

CVE-2012-5371
http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/
62e0fbe5-5798-11de-bb78-001cc0377035ruby -- BigDecimal denial of service vulnerability

The official ruby site reports:

A denial of service (DoS) vulnerability was found on the BigDecimal standard library of Ruby. Conversion from BigDecimal objects into Float numbers had a problem which enables attackers to effectively cause segmentation faults.

An attacker can cause a denial of service by causing BigDecimal to parse an insanely large number, such as:

BigDecimal("9E69999999").to_s("F")


Discovery 2009-06-09
Entry 2009-06-13
Modified 2010-05-02
ruby
ruby+pthreads
ruby+pthreads+oniguruma
ruby+oniguruma
ge 1.8.*,1 lt 1.8.7.160_1,1

35278
CVE-2009-1904
http://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/
6916ea94-4628-11ec-bbe2-0800270512f4rubygem-date -- Regular Expression Denial of Service Vunlerability of Date Parsing Methods

Stanislav Valkanov reports:

Date's parsing methods including Date.parse are using Regexps internally, some of which are vulnerable against regular expression denial of service. Applications and libraries that apply such methods to untrusted input may be affected.


Discovery 2021-11-15
Entry 2021-11-15
Modified 2021-11-24
ruby
ge 2.6.0,1 lt 2.6.9,1

ge 2.7.0,1 lt 2.7.5,1

ge 3.0.0,1 lt 3.0.3,1

ruby26
ge 2.6.0,1 lt 2.6.9,1

ruby27
ge 2.7.0,1 lt 2.7.5,1

ruby30
ge 3.0.0,1 lt 3.0.3,1

rubygem-date
< 3.2.1

CVE-2021-41817
https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/
76562594-1f19-11db-b7d4-0008743bf21aruby -- multiple vulnerabilities

Secunia reports:

Two vulnerabilities have been reported in Ruby, which can be exploited by malicious people to bypass certain security restrictions.

  1. An error in the handling of the "alias" functionality can be exploited to bypass the safe level protection and replace methods called in the trusted level.
  2. An error caused due to directory operations not being properly checked can be exploited to bypass the safe level protection and close untainted directory streams.

Discovery 2006-07-12
Entry 2006-07-29
Modified 2006-07-30
ruby
ruby_static
gt 1.6.* lt 1.8.*

gt 1.8.* lt 1.8.4_9,1

18944
CVE-2006-3694
http://secunia.com/advisories/21009/
http://jvn.jp/jp/JVN%2383768862/index.html
http://jvn.jp/jp/JVN%2313947696/index.html
7ed5779c-e4c7-11eb-91d7-08002728f74cRuby -- multiple vulnerabilities

Ruby news:

This release includes security fixes. Please check the topics below for details.

CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP

CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP

CVE-2021-31799: A command injection vulnerability in RDoc


Discovery 2021-07-07
Entry 2021-07-14
ruby26
< 2.6.8,1

ruby
< 2.7.4,1

ruby30
< 3.0.2,1

CVE-2021-31799
CVE-2021-31810
CVE-2021-32066
https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-6-8-released/
https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-7-4-released/
https://www.ruby-lang.org/en/news/2021/07/07/ruby-3-0-2-released/
https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/
https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/
https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/
7fe7df75-6568-11e6-a590-14dae9d210b8End of Life Ports

These packages have reached End of Life status and/or have been removed from the Ports Tree. They may contain undocumented security issues. Please take caution and find alternative software as soon as possible.


Discovery 2016-08-18
Entry 2016-08-18
Modified 2016-10-18
python32
python31
python30
python26
python25
python24
python23
python22
python21
python20
python15
ge 0

php54
php53
php52
php5
php4
ge 0

perl5
< 5.18

perl5.16
perl5.14
perl5.12
perl
ge 0

ruby
ruby_static
< 2.1,1

unifi2
unifi3
ge 0

apache21
apache20
apache13
ge 0

tomcat55
tomcat41
ge 0

mysql51-client
mysql51-server
mysql50-client
mysql50-server
mysql41-client
mysql41-server
mysql40-client
mysql40-server
ge 0

postgresql90-client
postgresql90-server
postgresql84-client
postgresql84-server
postgresql83-client
postgresql83-server
postgresql82-client
postgresql82-server
postgresql81-client
postgresql81-server
postgresql80-client
postgresql80-server
postgresql74-client
postgresql74-server
postgresql73-client
postgresql73-server
postgresql72-client
postgresql72-server
postgresql71-client
postgresql71-server
postgresql7-client
postgresql7-server
ge 0

ports/211975
844cf3f5-9259-4b3e-ac9e-13ca17333ed7ruby -- DoS vulnerability in REXML

Ruby developers report:

Unrestricted entity expansion can lead to a DoS vulnerability in REXML. (The CVE identifier will be assigned later.) We strongly recommend to upgrade ruby.

When reading text nodes from an XML document, the REXML parser can be coerced in to allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of service.


Discovery 2013-02-22
Entry 2013-02-24
ruby
ge 1.9,1 lt 1.9.3.392,1

http://www.ruby-lang.org/en/news/2013/02/22/rexml-dos-2013-02-22/
84ab03b6-6c20-11ed-b519-080027f5fec9rubygem-cgi -- HTTP response splitting vulnerability

Hiroshi Tokumaru reports:

If an application that generates HTTP responses using the cgi gem with untrusted user input, an attacker can exploit it to inject a malicious HTTP response header and/or body.

Also, the contents for a CGI::Cookie object were not checked properly. If an application creates a CGI::Cookie object based on user input, an attacker may exploit it to inject invalid attributes in Set-Cookie header. We think such applications are unlikely, but we have included a change to check arguments for CGI::Cookie#initialize preventatively.


Discovery 2022-11-22
Entry 2022-11-24
rubygem-cgi
< 0.3.4

ruby
ge 2.7.0,1 lt 2.7.7,1

ge 3.0.0,1 lt 3.0.5,1

ge 3.1.0,1 lt 3.1.3,1

ge 3.2.0.p1,1 lt 3.2.0.r1,1

ruby27
ge 2.7.0,1 lt 2.7.7,1

ruby30
ge 3.0.0,1 lt 3.0.5,1

ruby31
ge 3.1.0,1 lt 3.1.3,1

ruby32
ge 3.2.0.p1,1 lt 3.2.0.r1,1

CVE-2021-33621
https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/
91be81e7-3fea-11e1-afc7-2c4138874f7dMultiple implementations -- DoS via hash algorithm collision

oCERT reports:

A variety of programming languages suffer from a denial-of-service (DoS) condition against storage functions of key/value pairs in hash data structures, the condition can be leveraged by exploiting predictable collisions in the underlying hashing algorithms.

The issue finds particular exposure in web server applications and/or frameworks. In particular, the lack of sufficient limits for the number of parameters in POST requests in conjunction with the predictable collision properties in the hashing functions of the underlying languages can render web applications vulnerable to the DoS condition. The attacker, using specially crafted HTTP requests, can lead to a 100% of CPU usage which can last up to several hours depending on the targeted application and server performance, the amplification effect is considerable and requires little bandwidth and time on the attacker side.

The condition for predictable collisions in the hashing functions has been reported for the following language implementations: Java, JRuby, PHP, Python, Rubinius, Ruby. In the case of the Ruby language, the 1.9.x branch is not affected by the predictable collision condition since this version includes a randomization of the hashing function.

The vulnerability outlined in this advisory is practically identical to the one reported in 2003 and described in the paper Denial of Service via Algorithmic Complexity Attacks which affected the Perl language.


Discovery 2011-12-28
Entry 2012-01-16
Modified 2012-01-20
jruby
< 1.6.5.1

ruby
ruby+nopthreads
ruby+nopthreads+oniguruma
ruby+oniguruma
< 1.8.7.357,1

rubygem-rack
< 1.3.6,3

v8
< 3.8.5

redis
le 2.4.6

node
< 0.6.7

CVE-2011-4838
CVE-2011-4815
CVE-2011-5036
CVE-2011-5037
http://www.ocert.org/advisories/ocert-2011-003.html
http://www.nruns.com/_downloads/advisory28122011.pdf
959d384d-6b59-11dd-9d79-001fc61c2a55ruby -- DNS spoofing vulnerability

The official ruby site reports:

resolv.rb allow remote attackers to spoof DNS answers. This risk can be reduced by randomness of DNS transaction IDs and source ports.


Discovery 2008-08-08
Entry 2008-08-16
Modified 2009-02-09
ruby
ruby+pthreads
ruby+pthreads+oniguruma
ruby+oniguruma
ge 1.8.*,1 lt 1.8.6.111_5,1

ge 1.9.*,1 lt 1.9.1.0,1

CVE-2008-1447
http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/
95b01379-9d52-11e7-a25c-471bafc3262fruby -- multiple vulnerabilities

Ruby blog:

CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf

If a malicious format string which contains a precious specifier (*) is passed and a huge minus value is also passed to the specifier, buffer underrun may be caused. In such situation, the result may contains heap, or the Ruby interpreter may crash.

CVE-2017-10784: Escape sequence injection vulnerability in the Basic authentication of WEBrick

When using the Basic authentication of WEBrick, clients can pass an arbitrary string as the user name. WEBrick outputs the passed user name intact to its log, then an attacker can inject malicious escape sequences to the log and dangerous control characters may be executed on a victim’s terminal emulator.

This vulnerability is similar to a vulnerability already fixed, but it had not been fixed in the Basic authentication.

CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode

If a malicious string is passed to the decode method of OpenSSL::ASN1, buffer underrun may be caused and the Ruby interpreter may crash.

CVE-2017-14064: Heap exposure vulnerability in generating JSON

The generate method of JSON module optionally accepts an instance of JSON::Ext::Generator::State class. If a malicious instance is passed, the result may include contents of heap.


Discovery 2017-09-14
Entry 2017-09-19
ruby
ge 2.2.0 lt 2.2.8

ge 2.3.0 lt 2.3.5

ge 2.4.0 lt 2.4.2

https://www.ruby-lang.org/en/security/
https://www.ruby-lang.org/en/news/2017/09/14/sprintf-buffer-underrun-cve-2017-0898/
https://www.ruby-lang.org/en/news/2017/09/14/webrick-basic-auth-escape-sequence-injection-cve-2017-10784/
https://www.ruby-lang.org/en/news/2017/09/14/openssl-asn1-buffer-underrun-cve-2017-14033/
https://www.ruby-lang.org/en/news/2017/09/14/json-heap-exposure-cve-2017-14064/
CVE-2017-0898
CVE-2017-10784
CVE-2017-14033
CVE-2017-14064
a8674c14-83d7-11db-88d5-0012f06707f0ruby -- cgi.rb library Denial of Service

The official ruby site reports:

Another vulnerability has been discovered in the CGI library (cgi.rb) that ships with Ruby which could be used by a malicious user to create a denial of service attack (DoS).

A specific HTTP request for any web application using cgi.rb causes CPU consumption on the machine on which the web application is running. Many such requests result in a denial of service.


Discovery 2006-12-04
Entry 2006-12-04
Modified 2010-05-12
ruby
ruby+pthreads
ruby+pthreads+oniguruma
ruby+oniguruma
ge 1.8.*,1 lt 1.8.5_5,1

ruby_static
ge 1.8.*,1

CVE-2006-6303
http://www.ruby-lang.org/en/news/2006/12/04/another-dos-vulnerability-in-cgi-library/
ab8dbe98-6be4-11db-ae91-0012f06707f0ruby -- cgi.rb library Denial of Service

Official ruby site reports:

A vulnerability has been discovered in the CGI library (cgi.rb) that ships with Ruby which could be used by a malicious user to create a denial of service attack (DoS). The problem is triggered by sending the library an HTTP request that uses multipart MIME encoding and as an invalid boundary specifier that begins with "-" instead of "--". Once triggered it will exhaust all available memory resources effectively creating a DoS condition.


Discovery 2006-10-25
Entry 2006-11-04
Modified 2006-12-15
ruby
ruby+pthreads
ruby+pthreads+oniguruma
ruby+oniguruma
ge 1.8.*,1 lt 1.8.5_4,1

ruby_static
ge 1.8.*,1

20777
CVE-2006-5467
http://rubyforge.org/pipermail/mongrel-users/2006-October/001946.html
afc60484-0652-440e-b01a-5ef814747f06ruby -- multiple vulnerabilities

Ruby news:

CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly

An instance of OpenSSL::X509::Name contains entities such as CN, C and so on. Some two instances of OpenSSL::X509::Name are equal only when all entities are exactly equal. However, there is a bug that the equality check is not correct if the value of an entity of the argument (right-hand side) starts with the value of the receiver (left-hand side). So, if a malicious X.509 certificate is passed to compare with an existing certificate, there is a possibility to be judged incorrectly that they are equal.

CVE-2018-16396: Tainted flags are not propagated in Array#pack and String#unpack with some directives

Array#pack method converts the receiver's contents into a string with specified format. If the receiver contains some tainted objects, the returned string also should be tainted. String#unpack method which converts the receiver into an array also should propagate its tainted flag to the objects contained in the returned array. But, with B, b, H and h directives, the tainted flags are not propagated. So, if a script processes unreliable inputs by Array#pack and/or String#unpack with these directives and checks the reliability with tainted flags, the check might be wrong.


Discovery 2018-10-17
Entry 2018-10-20
ruby
ge 2.3.0,1 lt 2.3.8,1

ge 2.4.0,1 lt 2.4.5,1

ge 2.5.0,1 lt 2.5.2,1

https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-5-2-released/
https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/
https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/
CVE-2018-16395
CVE-2018-16396
c329712a-6b5b-11dd-9d79-001fc61c2a55ruby -- multiple vulnerabilities in safe level

The official ruby site reports:

Several vulnerabilities in safe level have been discovereds:.

  • untrace_var is permitted at safe level 4;
  • $PROGRAM_NAME may be modified at safe level 4;
  • insecure methods may be called at safe level 1-3;
  • syslog operations are permitted at safe level 4;
  • dl doesn't check taintness, so it could allow attackers to call dangerous functions.

Discovery 2008-08-08
Entry 2008-08-16
Modified 2010-05-12
ruby
ruby+pthreads
ruby+pthreads+oniguruma
ruby+oniguruma
ge 1.8.*,1 lt 1.8.6.287,1

ge 1.9.*,1 lt 1.9.1.0,1

CVE-2008-3655
CVE-2008-3656
CVE-2008-3905
http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/
c79eb109-a754-45d7-b552-a42099eb2265Ruby -- Denial of Service and Unsafe Object Creation Vulnerability in JSON

Aaron Patterson reports:

When parsing certain JSON documents, the JSON gem can be coerced in to creating Ruby symbols in a target system. Since Ruby symbols are not garbage collected, this can result in a denial of service attack.

The same technique can be used to create objects in a target system that act like internal objects. These "act alike" objects can be used to bypass certain security mechanisms and can be used as a spring board for SQL injection attacks in Ruby on Rails.


Discovery 2013-02-11
Entry 2013-02-16
ruby
ge 1.9,1 lt 1.9.3.385,1

rubygem18-json
< 1.7.7

rubygem19-json
< 1.7.7

rubygem18-json_pure
< 1.7.7

rubygem19-json_pure
< 1.7.7

CVE-2013-0269
d3e96508-056b-4259-88ad-50dc8d1978a6Ruby -- XSS exploit of RDoc documentation generated by rdoc

Ruby developers report:

RDoc documentation generated by rdoc bundled with ruby are vulnerable to an XSS exploit. All ruby users are recommended to update ruby to newer version which includes security-fixed RDoc. If you are publishing RDoc documentation generated by rdoc, you are recommended to apply a patch for the documentaion or re-generate it with security-fixed RDoc.


Discovery 2013-02-06
Entry 2013-02-16
ruby
ge 1.9,1 lt 1.9.3.385,1

rubygem18-rdoc
< 3.12.1

rubygem19-rdoc
< 3.12.1

CVE-2013-0256
d4379f59-3e9b-49eb-933b-61de4d0b0fdbRuby -- OpenSSL Hostname Verification Vulnerability

Ruby Developers report:

After reviewing RFC 6125 and RFC 5280, we found multiple violations of matching hostnames and particularly wildcard certificates.

Ruby’s OpenSSL extension will now provide a string-based matching algorithm which follows more strict behavior, as recommended by these RFCs. In particular, matching of more than one wildcard per subject/SAN is no-longer allowed. As well, comparison of these values are now case-insensitive.


Discovery 2015-04-13
Entry 2015-04-14
Modified 2015-09-23
ruby
ruby20
ge 2.0,1 lt 2.0.0.645,1

ruby
ruby21
ge 2.1,1 lt 2.1.6,1

ruby
ruby22
ge 2.2,1 lt 2.2.2,1

https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/
CVE-2015-1855
d4379f59-3e9b-49eb-933b-61de4d0b0fdbRuby -- OpenSSL Hostname Verification Vulnerability

Ruby Developers report:

After reviewing RFC 6125 and RFC 5280, we found multiple violations of matching hostnames and particularly wildcard certificates.

Ruby’s OpenSSL extension will now provide a string-based matching algorithm which follows more strict behavior, as recommended by these RFCs. In particular, matching of more than one wildcard per subject/SAN is no-longer allowed. As well, comparison of these values are now case-insensitive.


Discovery 2015-04-13
Entry 2015-04-14
Modified 2015-09-23
ruby
ruby20
ge 2.0,1 lt 2.0.0.645,1

ruby
ruby21
ge 2.1,1 lt 2.1.6,1

ruby
ruby22
ge 2.2,1 lt 2.2.2,1

https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/
CVE-2015-1855
d4379f59-3e9b-49eb-933b-61de4d0b0fdbRuby -- OpenSSL Hostname Verification Vulnerability

Ruby Developers report:

After reviewing RFC 6125 and RFC 5280, we found multiple violations of matching hostnames and particularly wildcard certificates.

Ruby’s OpenSSL extension will now provide a string-based matching algorithm which follows more strict behavior, as recommended by these RFCs. In particular, matching of more than one wildcard per subject/SAN is no-longer allowed. As well, comparison of these values are now case-insensitive.


Discovery 2015-04-13
Entry 2015-04-14
Modified 2015-09-23
ruby
ruby20
ge 2.0,1 lt 2.0.0.645,1

ruby
ruby21
ge 2.1,1 lt 2.1.6,1

ruby
ruby22
ge 2.2,1 lt 2.2.2,1

https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/
CVE-2015-1855
d656296b-33ff-11d9-a9e7-0001020eed82ruby -- CGI DoS

The Ruby CGI.rb module contains a bug which can cause the CGI module to go into an infinite loop, thereby causing a denial-of-service situation on the web server by using all available CPU time.


Discovery 2004-11-06
Entry 2004-11-13
Modified 2004-11-25
ruby
ruby_r
gt 1.7.* lt 1.8.2.p2_2

< 1.6.8.2004.07.28_1

ruby-1.7.0
ge a2001.05.12 le a2001.05.26

CVE-2004-0983
http://www.debian.org/security/2004/dsa-586
dd644964-e10e-11e7-8097-0800271d4b9cruby -- Command injection vulnerability in Net::FTP

Etienne Stalmans from the Heroku product security team reports:

There is a command injection vulnerability in Net::FTP bundled with Ruby.

Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the pipe character "|", the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.


Discovery 2017-12-14
Entry 2017-12-14
ruby
ge 2.2.0,1 lt 2.2.9,1

ge 2.3.0,1 lt 2.3.6,1

ge 2.4.0,1 lt 2.4.3,1

https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/
CVE-2017-17405
dec7e4b6-961a-11eb-9c34-080027f515earuby -- XML round-trip vulnerability in REXML

Juho Nurminen reports:

When parsing and serializing a crafted XML document, REXML gem (including the one bundled with Ruby) can create a wrong XML document whose structure is different from the original one. The impact of this issue highly depends on context, but it may lead to a vulnerability in some programs that are using REXML.


Discovery 2021-04-05
Entry 2021-04-05
ruby
ge 2.5.0,1 lt 2.5.9,1

ge 2.6.0,1 lt 2.6.7,1

ge 2.7.0,1 lt 2.7.3,1

ge 3.0.0.p1,1 lt 3.0.1,1

rubygem-rexml
< 3.2.5

CVE-2021-28965
https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/
e811aaf1-f015-11d8-876f-00902714cc7cRuby insecure file permissions in the CGI session management

According to a Debian Security Advisory:

Andres Salomon noticed a problem in the CGI session management of Ruby, an object-oriented scripting language. CGI::Session's FileStore (and presumably PStore [...]) implementations store session information insecurely. They simply create files, ignoring permission issues. This can lead an attacker who has also shell access to the webserver to take over a session.


Discovery 2004-08-16
Entry 2004-08-16
Modified 2004-08-28
ruby
< 1.6.8.2004.07.26

ge 1.7.0 lt 1.8.1.2004.07.23

CVE-2004-0755
http://xforce.iss.net/xforce/xfdb/16996
http://www.debian.org/security/2004/dsa-537
http://marc.theaimsgroup.com/?l=bugtraq&m=109267579822250&w=2
eab8c3bd-e50c-11de-9cd0-001a926c7637ruby -- heap overflow vulnerability

The official ruby site reports:

There is a heap overflow vulnerability in String#ljust, String#center and String#rjust. This has allowed an attacker to run arbitrary code in some rare cases.


Discovery 2009-11-30
Entry 2009-12-09
ruby
ge 1.9.1,1 lt 1.9.1.376,1

CVE-2009-4124
http://www.ruby-lang.org/en/news/2009/12/07/heap-overflow-in-string/
eb69bcf2-18ef-4aa2-bb0c-83b263364089ruby -- multiple vulnerabilities

Ruby news:

CVE-2017-17742: HTTP response splitting in WEBrick

If a script accepts an external input and outputs it without modification as a part of HTTP responses, an attacker can use newline characters to deceive the clients that the HTTP response header is stopped at there, and can inject fake HTTP responses after the newline characters to show malicious contents to the clients.

CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir

Dir.mktmpdir method introduced by tmpdir library accepts the prefix and the suffix of the directory which is created as the first parameter. The prefix can contain relative directory specifiers "../", so this method can be used to target any directory. So, if a script accepts an external input as the prefix, and the targeted directory has inappropriate permissions or the ruby process has inappropriate privileges, the attacker can create a directory or a file at any directory.

CVE-2018-8777: DoS by large request in WEBrick

If an attacker sends a large request which contains huge HTTP headers, WEBrick try to process it on memory, so the request causes the out-of-memory DoS attack.

CVE-2018-8778: Buffer under-read in String#unpack

String#unpack receives format specifiers as its parameter, and can be specified the position of parsing the data by the specifier @. If a big number is passed with @, the number is treated as the negative value, and out-of-buffer read is occurred. So, if a script accepts an external input as the argument of String#unpack, the attacker can read data on heaps.

CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket

UNIXServer.open accepts the path of the socket to be created at the first parameter. If the path contains NUL (\0) bytes, this method recognize that the path is completed before the NUL bytes. So, if a script accepts an external input as the argument of this method, the attacker can make the socket file in the unintentional path. And, UNIXSocket.open also accepts the path of the socket to be created at the first parameter without checking NUL bytes like UNIXServer.open. So, if a script accepts an external input as the argument of this method, the attacker can accepts the socket file in the unintentional path.

CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir

Dir.open, Dir.new, Dir.entries and Dir.empty? accept the path of the target directory as their parameter. If the parameter contains NUL (\0) bytes, these methods recognize that the path is completed before the NUL bytes. So, if a script accepts an external input as the argument of these methods, the attacker can make the unintentional directory traversal.


Discovery 2018-03-28
Entry 2018-03-29
ruby
ge 2.3.0,1 lt 2.3.7,1

ge 2.4.0,1 lt 2.4.4,1

ge 2.5.0,1 lt 2.5.1,1

https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released/
https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released/
https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released/
https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/
https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/
https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/
https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/
https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/
https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/
CVE-2017-17742
CVE-2018-6914
CVE-2018-8777
CVE-2018-8778
CVE-2018-8779
CVE-2018-8780
ed8d5535-ca78-11e9-980b-999ff59c22eaRDoc -- multiple jQuery vulnerabilities

Ruby news:

There are multiple vulnerabilities about Cross-Site Scripting (XSS) in jQuery shipped with RDoc which bundled in Ruby. All Ruby users are recommended to update Ruby to the latest release which includes the fixed version of RDoc.

The following vulnerabilities have been reported.

CVE-2012-6708

CVE-2015-9251


Discovery 2019-08-28
Entry 2019-08-29
Modified 2019-08-31
ruby
ge 2.4.0,1 lt 2.4.7,1

ge 2.5.0,1 lt 2.5.6,1

ge 2.6.0,1 lt 2.6.3,1

rubygem-rdoc
< 6.1.2

https://www.ruby-lang.org/en/news/2019/08/28/multiple-jquery-vulnerabilities-in-rdoc/
CVE-2012-6708
CVE-2015-9251
f22144d7-bad1-11ec-9cfe-0800270512f4Ruby -- Double free in Regexp compilation

piao reports:

Due to a bug in the Regexp compilation process, creating a Regexp object with a crafted source string could cause the same memory to be freed twice. This is known as a "double free" vulnerability. Note that, in general, it is considered unsafe to create and use a Regexp object generated from untrusted input. In this case, however, following a comprehensive assessment, we treat this issue as a vulnerability.


Discovery 2022-04-12
Entry 2022-04-13
ruby
ge 3.0.0,1 lt 3.0.4,1

ge 3.1.0,1 lt 3.1.2,1

ge 3.2.0.p1,1 lt 3.2.0.p1_1,1

ruby30
ge 3.0.0,1 lt 3.0.4,1

ruby31
ge 3.1.0,1 lt 3.1.2,1

ruby32
ge 3.2.0.p1,1 lt 3.2.0.p1_1,1

CVE-2022-28738
https://www.ruby-lang.org/en/news/2022/04/12/double-free-in-regexp-compilation-cve-2022-28738/
f7ba20aa-6b5a-11dd-9d79-001fc61c2a55ruby -- DoS vulnerability in WEBrick

The official ruby site reports:

WEBrick::HTTP::DefaultFileHandler is faulty of exponential time taking requests due to a backtracking regular expression in WEBrick::HTTPUtils.split_header_value.


Discovery 2008-08-08
Entry 2008-08-16
Modified 2010-05-12
ruby
ruby+pthreads
ruby+pthreads+oniguruma
ruby+oniguruma
ge 1.8.*,1 lt 1.8.6.111_5,1

ge 1.9.*,1 lt 1.9.1.0,1

CVE-2008-3655
CVE-2008-3656
CVE-2008-3905
http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/
f7fcb75c-e537-11e9-863e-b9b7af01ba9eruby -- multiple vulnerabilities

Ruby news:

This release includes security fixes. Please check the topics below for details.

CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and File.fnmatch?

A NUL injection vulnerability of Ruby built-in methods (File.fnmatch and File.fnmatch?) was found. An attacker who has the control of the path pattern parameter could exploit this vulnerability to make path matching pass despite the intention of the program author.

CVE-2019-16201: Regular Expression Denial of Service vulnerability of WEBrick's Digest access authentication

Regular expression denial of service vulnerability of WEBrick's Digest authentication module was found. An attacker can exploit this vulnerability to cause an effective denial of service against a WEBrick service.

CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)

There is an HTTP response splitting vulnerability in WEBrick bundled with Ruby.

CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test

A code injection vulnerability of Shell#[] and Shell#test in a standard library (lib/shell.rb) was found.


Discovery 2019-10-01
Entry 2019-10-02
ruby
ge 2.4.0,1 lt 2.4.9,1

ge 2.5.0,1 lt 2.5.7,1

ge 2.6.0,1 lt 2.6.5,1

https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-6-5-released/
https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-5-7-released/
https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-4-8-released/
https://www.ruby-lang.org/en/news/2019/10/02/ruby-2-4-9-released/
https://www.ruby-lang.org/en/news/2019/10/01/nul-injection-file-fnmatch-cve-2019-15845/
https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/
https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/
https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/
CVE-2019-15845
CVE-2019-16201
CVE-2019-16254
CVE-2019-16255