FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-16 19:33:48 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
2c8bd00d-ada2-11e7-82af-8dbff7d75206	rubygems -- deserialization vulnerability oss-security mailing list: There is a possible unsafe object desrialization vulnerability in RubyGems. It is possible for YAML deserialization of gem specifications to bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution. Discovery 2017-10-09 Entry 2017-10-10 ruby22-gems ruby23-gems ruby24-gems < 2.6.14 http://www.openwall.com/lists/oss-security/2017/10/10/2 http://blog.rubygems.org/2017/10/09/2.6.14-released.html CVE-2017-0903
3f6de636-8cdb-11e7-9c71-f0def1fd7ea2	rubygems -- multiple vulnerabilities Official blog of RubyGems reports: The following vulnerabilities have been reported: a DNS request hijacking vulnerability, an ANSI escape sequence vulnerability, a DoS vulnerability in the query command, and a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files. Discovery 2017-08-29 Entry 2017-08-29 ruby22-gems ruby23-gems ruby24-gems < 2.6.13 https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/
a0089e18-fc9e-11e4-bc58-001e67150279	rubygems -- request hijacking vulnerability Jonathan Claudius reports: RubyGems provides the ability of a domain to direct clients to a separate host that is used to fetch gems and make API calls against. This mechanism is implemented via DNS, specifically a SRV record _rubygems._tcp under the original requested domain. RubyGems did not validate the hostname returned in the SRV record before sending requests to it. This left clients open to a DNS hijack attack, whereby an attacker could return a SRV of their choosing and get the client to use it. Discovery 2015-05-14 Entry 2015-05-17 ruby20-gems < 2.4.7 ruby21-gems < 2.4.7 ruby22-gems < 2.4.7 ports/200264 CVE-2015-3900 http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html

VuXML ID

Description

2c8bd00d-ada2-11e7-82af-8dbff7d75206

rubygems -- deserialization vulnerability

oss-security mailing list:

There is a possible unsafe object desrialization vulnerability in RubyGems. It is possible for YAML deserialization of gem specifications to bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.

Discovery 2017-10-09
Entry 2017-10-10
ruby22-gems
ruby23-gems
ruby24-gems

< 2.6.14

http://www.openwall.com/lists/oss-security/2017/10/10/2
http://blog.rubygems.org/2017/10/09/2.6.14-released.html
CVE-2017-0903

3f6de636-8cdb-11e7-9c71-f0def1fd7ea2

rubygems -- multiple vulnerabilities

Official blog of RubyGems reports:

The following vulnerabilities have been reported: a DNS request hijacking vulnerability, an ANSI escape sequence vulnerability, a DoS vulnerability in the query command, and a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files.

Discovery 2017-08-29
Entry 2017-08-29
ruby22-gems
ruby23-gems
ruby24-gems

< 2.6.13

https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/

a0089e18-fc9e-11e4-bc58-001e67150279

rubygems -- request hijacking vulnerability

Jonathan Claudius reports:

RubyGems provides the ability of a domain to direct clients to a separate host that is used to fetch gems and make API calls against. This mechanism is implemented via DNS, specifically a SRV record _rubygems._tcp under the original requested domain.

RubyGems did not validate the hostname returned in the SRV record before sending requests to it. This left clients open to a DNS hijack attack, whereby an attacker could return a SRV of their choosing and get the client to use it.

Discovery 2015-05-14
Entry 2015-05-17
ruby20-gems

< 2.4.7

ruby21-gems

< 2.4.7

ruby22-gems

< 2.4.7

ports/200264
CVE-2015-3900
http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html