漏洞类别:Ubuntu
漏洞等级: 
漏洞信息
It was discovered that Ruby DL::dlopen incorrectly handled opening libraries.
It was discovered that the Ruby OpenSSL extension incorrectly handled hostname wildcard matching.
It was discovered that Ruby Fiddle::Handle incorrectly handled certain crafted strings.
It was discovered that Ruby Net::SMTP incorrectly handled CRLF sequences.
It was discovered that Ruby incorrectly handled certain arguments in a TclTkIp class method.
It was discovered that Ruby Fiddle::Function.new incorrectly handled certain arguments.
It was discovered that Ruby incorrectly handled the initialization vector (IV) in GCM mode.
漏洞危害
An attacker could possibly use this issue to open libraries with tainted names. This issue only applied to Ubuntu 14.04 LTS. (CVE-2009-5147)
This issue only applied to Ubuntu 14.04 LTS. (CVE-2015-1855)
An attacker could use this issue to cause a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS. (CVE-2015-7551)
A remote attacker could possibly use this issue to inject SMTP commands. (CVE-2015-9096)
An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2016-2337)
An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2016-2339)
An attacker could possibly use this issue to bypass encryption. (CVE-2016-7798)
解决方案
Refer to Ubuntu advisory USN-3365-1 for affected packages and patching details, or update with your package manager.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
USN-3365-1: 16.04 (Xenial) on src (libruby2.3)
USN-3365-1: 14.04 (Kylin) on src (libruby2.0)
USN-3365-1: 17.04 (zesty) on src (ruby2.3)
USN-3365-1: 17.04 (zesty) on src (libruby2.3)
USN-3365-1: 14.04 (Kylin) on src (ruby1.9.1)
USN-3365-1: 14.04 (Kylin) on src (ruby2.0)
0daybank
文章评论