Attachment 191916 Details for Bug 227053 – patch file

[patch] patch file

security_vuxml.patch (text/plain), 3.58 KB, created by Yasuhiro Kimura on 2018-03-28 21:51:47 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Yasuhiro Kimura

Created: 2018-03-28 21:51:47 UTC

Size: 3.58 KB

patch

obsolete

>Index: vuln.xml
>===================================================================
>--- vuln.xml	(revision 465848)
>+++ vuln.xml	(working copy)
>@@ -58,6 +58,62 @@
> * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
> -->
> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
>+ <vuln vid="b20d5f5e-32c2-11e8-a869-9c5c8e75236a">
>+ <topic>ruby -- multiple vulnerabilities</topic>
>+ <affects>
>+ <package>
>+	<name>ruby</name>
>+	<range><ge>2.3.0,1</ge><lt>2.3.7,1</lt></range>
>+	<range><ge>2.4.0,1</ge><lt>2.4.4,1</lt></range>
>+	<range><ge>2.5.0,1</ge><lt>2.5.1,1</lt></range>
>+ </package>
>+ </affects>
>+ <description>
>+ <body xmlns="http://www.w3.org/1999/xhtml">
>+	ooooooo_q reports:
>+	<blockquote cite="https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/">
>+	 There is an unintentional directory creation vulnerability in tmpdir library bundled with Ruby. And there is also an unintentional file creation vulnerability in tempfile library bundled with Ruby, because it uses tmpdir internally.
>+	</blockquote>
>+	<blockquote cite="https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/">
>+	 There is a unintentional socket creation vulnerability in UNIXServer.open method of socket library bundled with Ruby. And there is also a unintentional socket access vulnerability in UNIXSocket.open method.
>+	</blockquote>
>+	<blockquote cite="https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/">
>+	 There is an unintentional directory traversal in some methods in Dir.
>+	</blockquote>
>+	Eric Wong reports:
>+	<blockquote cite="https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/">
>+	 There is a out-of-memory DoS vulnerability with a large request in WEBrick bundled with Ruby.
>+	</blockquote>
>+	Aaron Patterson reports:
>+	<blockquote cite="https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/">
>+	 There is an HTTP response splitting vulnerability in WEBrick bundled with Ruby.
>+	</blockquote>
>+	aerodudrizzt reports:
>+	<blockquote cite="https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/">
>+	 There is a buffer under-read vulnerability in String#unpack method.
>+	</blockquote>
>+ </body>
>+ </description>
>+ <references>
>+ <url>https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/</url>
>+ <url>https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/</url>
>+ <url>https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/</url>
>+ <url>https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/</url>
>+ <url>https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/</url>
>+ <url>https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/</url>
>+ <cvename>CVE-2018-6914</cvename>
>+ <cvename>CVE-2018-8779</cvename>
>+ <cvename>CVE-2018-8780</cvename>
>+ <cvename>CVE-2018-8777</cvename>
>+ <cvename>CVE-2017-17742</cvename>
>+ <cvename>CVE-2018-8778</cvename>
>+ </references>
>+ <dates>
>+ <discovery>2018-03-28</discovery>
>+ <entry>2018-03-28</entry>
>+ </dates>
>+ </vuln>
>+
> <vuln vid="1ce95bc7-3278-11e8-b527-00012e582166">
> <topic>webkit2-gtk3 -- multiple vulnerabilities</topic>
> <affects>

Actions: View | Diff

Attachments on bug 227053: 191916