[SECURITY] [DLA 1467-1] ruby-zip security update

2018-08-1511:30:21

lists.debian.org

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.5 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

60.5%

JSON

Package : ruby-zip
Version : 1.1.6-1+deb8u2
CVE ID : CVE-2018-1000544
Debian Bug : 902720

It was found that rubyzip, a Ruby module for reading and writing zip
files, contained a Directory Traversal vulnerability that can be
exploited to write arbitrary files to the filesystem.

For Debian 8 "Jessie", this problem has been fixed in version
1.1.6-1+deb8u2.

We recommend that you upgrade your ruby-zip packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian9allruby-zip< 1.2.0-1.1+deb9u1ruby-zip_1.2.0-1.1+deb9u1_all.deb
Debian9amd64ruby-zip< 1.2.0-1.1+deb9u1ruby-zip_1.2.0-1.1+deb9u1_amd64.deb
Debian8i386ruby-zip< 1.1.6-1+deb8u2ruby-zip_1.1.6-1+deb8u2_i386.deb
Debian9arm64ruby-zip< 1.2.0-1.1+deb9u1ruby-zip_1.2.0-1.1+deb9u1_arm64.deb
Debian8armhfruby-zip< 1.1.6-1+deb8u2ruby-zip_1.1.6-1+deb8u2_armhf.deb
Debian8armelruby-zip< 1.1.6-1+deb8u2ruby-zip_1.1.6-1+deb8u2_armel.deb
Debian9armhfruby-zip< 1.2.0-1.1+deb9u1ruby-zip_1.2.0-1.1+deb9u1_armhf.deb
Debian8amd64ruby-zip< 1.1.6-1+deb8u2ruby-zip_1.1.6-1+deb8u2_amd64.deb
Debian9i386ruby-zip< 1.2.0-1.1+deb9u1ruby-zip_1.2.0-1.1+deb9u1_i386.deb
Debian8allruby-zip< 1.1.6-1+deb8u2ruby-zip_1.1.6-1+deb8u2_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	9	all	ruby-zip	< 1.2.0-1.1+deb9u1	ruby-zip_1.2.0-1.1+deb9u1_all.deb
Debian	9	amd64	ruby-zip	< 1.2.0-1.1+deb9u1	ruby-zip_1.2.0-1.1+deb9u1_amd64.deb
Debian	8	i386	ruby-zip	< 1.1.6-1+deb8u2	ruby-zip_1.1.6-1+deb8u2_i386.deb
Debian	9	arm64	ruby-zip	< 1.2.0-1.1+deb9u1	ruby-zip_1.2.0-1.1+deb9u1_arm64.deb
Debian	8	armhf	ruby-zip	< 1.1.6-1+deb8u2	ruby-zip_1.1.6-1+deb8u2_armhf.deb
Debian	8	armel	ruby-zip	< 1.1.6-1+deb8u2	ruby-zip_1.1.6-1+deb8u2_armel.deb
Debian	9	armhf	ruby-zip	< 1.2.0-1.1+deb9u1	ruby-zip_1.2.0-1.1+deb9u1_armhf.deb
Debian	8	amd64	ruby-zip	< 1.1.6-1+deb8u2	ruby-zip_1.1.6-1+deb8u2_amd64.deb
Debian	9	i386	ruby-zip	< 1.2.0-1.1+deb9u1	ruby-zip_1.2.0-1.1+deb9u1_i386.deb
Debian	8	all	ruby-zip	< 1.1.6-1+deb8u2	ruby-zip_1.1.6-1+deb8u2_all.deb