| Summary: | <dev-ruby/rubygems-2.7.9: multiple vulnerabilities (CVE-2019-8320, CVE-2019-8321, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324, CVE-2019-8325) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Hans de Graaff <graaff> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | ruby |
| Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html | ||
| Whiteboard: | B3 [noglsa cve] | ||
| Package list: |
dev-ruby/rubygems-2.7.9
|
Runtime testing required: | --- |
Fixed versions rubygems-2.7.9 and rubygems-3.0.3 have been added. amd64 stable sparc stable x86 stable arm stable ia64 stable s390 stable ppc stable ppc64 stable hppa stable alpha stable @maintainer, please drop vulnerable. cleanup done. |
Today we’re disclosing several vulnerablities to RubyGems. They have all been reported via hackerone. We strongly recommend to upgrade the latest stable version of RubyGems 3.0.3 or 2.7.8. If you can’t upgrade RubyGems 2.7 or 3.0, please use this patch for RubyGems 2.6. The following vulnerabilities have been reported. CVE-2019-8320: Delete directory using symlink when decompressing tar CVE-2019-8321: Escape sequence injection vulnerability in verbose CVE-2019-8322: Escape sequence injection vulnerability in gem owner CVE-2019-8323: Escape sequence injection vulnerability in API response handling CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution CVE-2019-8325: Escape sequence injection vulnerability in errors