There is a command injection vulnerability in Net::FTP bundled with Ruby. This vulnerability has been assigned the CVE identifier CVE-2017-17405. Details Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the pipe character "|", the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution. All users running an affected release should upgrade immediately. Affected Versions Ruby 2.2 series: 2.2.8 and earlier Ruby 2.3 series: 2.3.5 and earlier Ruby 2.4 series: 2.4.2 and earlier
Fixed versions are available: dev-lang/ruby-2.2.9 dev-lang/ruby-2.3.6 dev-lang/ruby-2.4.3
Since 2.2.9 only contains the single fix to Net::FTP we can proceed with stabling right away.
hppa stable
sparc stable (thanks to Rolf Eike Beer)
amd64 stable
arm stable
ia64 stable
ppc/ppc64 stable
x86 stable
alpha stable
vulnerable versions have been removed
GLSA request filed.
This issue was resolved and addressed in GLSA 201802-05 at https://security.gentoo.org/glsa/201802-05 by GLSA coordinator Thomas Deutschmann (whissi).