CVE-2017-10784 in Ubuntu

CVE-2017-10784

Priority

Description

The Basic authentication code in WEBrick library in Ruby before 2.2.8,
2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to
inject terminal emulator escape sequences into its log and possibly execute
arbitrary commands via a crafted user name.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10784
https://www.ruby-lang.org/en/news/2017/09/14/webrick-basic-auth-escape-sequence-injection-cve-2017-10784/
https://hackerone.com/reports/223363
https://ubuntu.com/security/notices/USN-3439-1
https://ubuntu.com/security/notices/USN-3528-1
https://ubuntu.com/security/notices/USN-3685-1

Notes

Package

Source: ruby1.9.1 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	DNE
Ubuntu 14.04 ESM:	DNE (trusty was released [1.9.3.484-2ubuntu1.5])

Patches:

Package

Source: ruby2.0 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	DNE
Ubuntu 14.04 ESM:	DNE (trusty was released [2.0.0.484-1ubuntu2.10])

Patches:

Package

Source: ruby2.3 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	DNE
Ubuntu 16.04 ESM:	released (2.3.1-2~16.04.5)
Ubuntu 14.04 ESM:	DNE

Patches:

Upstream:

https://github.com/ruby/ruby/commit/6617c41292b7d1e097abb8fdb0cab9ddd83c77e7

More Information

Updated: 2022-04-13 12:52:05 UTC (commit f411bd370d482ef4385c4e751d121a4055fbc009)