Date: Tue, 19 Dec 2017 02:15:17 +0000 (UTC) From: Steve Wills <swills@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r456699 - head/security/vuxml Message-ID: <201712190215.vBJ2FHdO039599@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: swills Date: Tue Dec 19 02:15:17 2017 New Revision: 456699 URL: https://svnweb.freebsd.org/changeset/ports/456699 Log: Document ruby issue Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Dec 19 00:54:26 2017 (r456698) +++ head/security/vuxml/vuln.xml Tue Dec 19 02:15:17 2017 (r456699) @@ -58,6 +58,35 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="dd644964-e10e-11e7-8097-0800271d4b9c"> + <topic>ruby -- Command injection vulnerability in Net::FTP</topic> + <affects> + <package> + <name>ruby</name> + <range><ge>2.2.0,1</ge><lt>2.2.9,1</lt></range> + <range><ge>2.3.0,1</ge><lt>2.3.6,1</lt></range> + <range><ge>2.4.0,1</ge><lt>2.4.3,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Etienne Stalmans from the Heroku product security team reports:</p> + <blockquote cite="https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/">; + <p>There is a command injection vulnerability in Net::FTP bundled with Ruby.</p> + <p><code>Net::FTP#get</code>, <code>getbinaryfile</code>, <code>gettextfile</code>, <code>put</code>, <code>putbinaryfile</code>, and <code>puttextfile</code> use <code>Kernel#open</code> to open a local file. If the <code>localfile</code> argument starts with the pipe character <code>"|"</code>, the command following the pipe character is executed. The default value of <code>localfile</code> is <code>File.basename(remotefile)</code>, so malicious FTP servers could cause arbitrary command execution.</p> + </blockquote> + </body> + </description> + <references> + <url>https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/</url>; + <cvename>CVE-2017-17405</cvename> + </references> + <dates> + <discovery>2017-12-14</discovery> + <entry>2017-12-14</entry> + </dates> + </vuln> + <vuln vid="8cf25a29-e063-11e7-9b2c-001e672571bc"> <topic>rubygem-passenger -- arbitrary file read vulnerability</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201712190215.vBJ2FHdO039599>