Skip to content

Commit 804a889

Browse files
riseshiariseshia
committed
cp {en,ko}/news/_posts/2019-03-05-multiple-vulnerabilities-in-rubygems.md
1 parent 6be0ae7 commit 804a889

File tree

1 file changed

+57
-0
lines changed

1 file changed

+57
-0
lines changed

ko/news/_posts/2019-03-05-multiple-vulnerabilities-in-rubygems.md

Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
---
2+
layout: news_post
3+
title: "Multiple vulnerabilities in RubyGems"
4+
author: "hsbt"
5+
translator:
6+
date: 2019-03-05 00:00:00 +0000
7+
tags: security
8+
lang: en
9+
---
10+
11+
There are multiple vulnerabilities in RubyGems bundled with Ruby.
12+
It is [reported at the official blog of RubyGems](http://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html).
13+
14+
## Details
15+
16+
The following vulnerabilities have been reported.
17+
18+
* CVE-2019-8320: Delete directory using symlink when decompressing tar
19+
* CVE-2019-8321: Escape sequence injection vulnerability in `verbose`
20+
* CVE-2019-8322: Escape sequence injection vulnerability in `gem owner`
21+
* CVE-2019-8323: Escape sequence injection vulnerability in API response handling
22+
* CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
23+
* CVE-2019-8325: Escape sequence injection vulnerability in errors
24+
25+
It is strongly recommended for Ruby users to take one of the following workarounds as soon as possible.
26+
27+
## Affected Versions
28+
29+
* Ruby 2.4 series: 2.4.5 and earlier
30+
* Ruby 2.5 series: 2.5.3 and earlier
31+
* Ruby 2.6 series: 2.6.1 and earlier
32+
* prior to trunk revision 67168
33+
34+
## Workarounds
35+
36+
RubyGems 2.7.6.2/2.7.9/3.0.3 or later includes the fix for the vulnerabilities, so upgrade RubyGems to the latest version.
37+
38+
```
39+
gem update --system
40+
```
41+
42+
If you can't upgrade RubyGems, you can apply the following patches as a workaround.
43+
44+
* [for Ruby 2.4.5](https://bugs.ruby-lang.org/attachments/7669)
45+
* [for Ruby 2.5.3](https://bugs.ruby-lang.org/attachments/7670)
46+
* [for Ruby 2.6.1](https://bugs.ruby-lang.org/attachments/7671)
47+
48+
About the trunk, update to the latest revision.
49+
50+
## Credits
51+
52+
This report is based on [the official blog of RubyGems](http://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html).
53+
54+
## History
55+
56+
* Originally published at 2019-03-05 00:00:00 UTC
57+
* Link to updated patches at 2019-03-06 05:26:27 UTC

0 commit comments

Comments
 (0)