Vulnerability CVE-2018-16396: Information
Description
An issue was discovered in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. It does not taint strings that result from unpacking tainted strings with some formats.
Severity: HIGH (8.1) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
---|---|---|---|---|---|---|
ruby | sisyphus | 2.5.4-alt1 | 3.1.4-alt4.4 | ALT-PU-2019-1050-1 | 219345 | Fixed |
ruby | p10 | 2.5.4-alt1 | 3.1.4-alt2.p10.1 | ALT-PU-2019-1050-1 | 219345 | Fixed |
ruby | p9 | 2.5.4-alt1 | 2.5.9-alt1 | ALT-PU-2019-1050-1 | 219345 | Fixed |
ruby | c10f1 | 2.5.4-alt1 | 2.7.4-alt2.2.1 | ALT-PU-2019-1050-1 | 219345 | Fixed |
ruby | c9f2 | 2.5.4-alt1 | 2.7.6-alt0.1.c9f2 | ALT-PU-2019-1050-1 | 219345 | Fixed |
ruby | p11 | 2.5.4-alt1 | 3.1.4-alt4.4 | ALT-PU-2019-1050-1 | 219345 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
---|---|
https://www.ruby-lang.org/en/news/2018/11/06/ruby-2-6-0-preview3-released/ |
|
https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-5-2-released/ |
|
https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-4-5-released/ |
|
https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-3-8-released/ |
|
https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/ |
|
[debian-lts-announce] 20181028 [SECURITY] [DLA 1558-1] ruby2.1 security update |
|
https://hackerone.com/reports/385070 |
|
DSA-4332 |
|
USN-3808-1 |
|
1042106 |
|
RHSA-2018:3731 |
|
RHSA-2018:3730 |
|
RHSA-2018:3729 |
|
https://security.netapp.com/advisory/ntap-20190221-0002/ |
|
openSUSE-SU-2019:1771 | |
RHSA-2019:2028 |