Debian LTS: DLA-1336-1: rubygems security update
Summary
Package :rubygems
Package : rubygems Version : 1.8.24-1+deb7u2 CVE ID : CVE-2018-1000075 CVE-2018-1000076 CVE-2018-1000077 CVE-2018-1000078 Multiple vulnerabilities were found in rubygems, a package management framework for Ruby. CVE-2018-1000075 A negative size vulnerability in ruby gem package tar header that could cause an infinite loop. CVE-2018-1000076 Ruby gems package improperly verifies cryptographic signatures. A mis-signed gem could be installed if the tarball contains multiple gem signatures. CVE-2018-1000077 An improper input validation vulnerability in ruby gems specification homepage attribute could allow malicious gem to set an invalid homepage URL. CVE-2018-1000078 Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute For Debian 7 "Wheezy", these problems have been fixed in version 1.8.24-1+deb7u2. We recommend that you upgrade your rubygems packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Package :rubygems