Description
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible
remote code execution vulnerability. YAML deserialization of gem
specifications can bypass class white lists. Specially crafted serialized
objects can possibly be used to escalate to remote code execution.
Notes
| tyhicks | ruby{1.9.1,2.0,2.3} and jruby ship an embedded rubygems. |
| leosilva | following http://www.openwall.com/lists/oss-security/2017/10/10/2, versions < 2.0.0 of ruby
are not affected |
Package
| Upstream: | needs-triage
|
| Ubuntu 18.04 LTS: | DNE
|
| Ubuntu 20.04 LTS: | DNE
|
| Ubuntu 21.10: | DNE
|
| Ubuntu 22.04 LTS: | DNE
|
| Ubuntu 14.04 ESM: | DNE
(trusty was not-affected [code not present])
|
Patches:
Package
| Upstream: | needs-triage
|
| Ubuntu 18.04 LTS: | DNE
|
| Ubuntu 20.04 LTS: | DNE
|
| Ubuntu 21.10: | DNE
|
| Ubuntu 22.04 LTS: | DNE
|
| Ubuntu 14.04 ESM: | DNE
(trusty was released [2.0.0.484-1ubuntu2.10])
|
Patches:
Package
| Upstream: | needs-triage
|
| Ubuntu 18.04 LTS: | DNE
|
| Ubuntu 20.04 LTS: | DNE
|
| Ubuntu 21.10: | DNE
|
| Ubuntu 16.04 ESM: | released
(2.3.1-2~16.04.6)
|
| Ubuntu 22.04 LTS: | DNE
|
| Ubuntu 14.04 ESM: | DNE
|
Patches:
Updated: 2022-04-25 00:18:30 UTC (commit ecc1009cb19540b950de59270950018900f37f15)