Ruby is vulnerable to command injection attacks. This is because lazy_initialize
function in lib/resolv.rb
do not properly process certain filenames. A remote attacker could possibly exploit this flaw to inject and execute arbitrary commands.
access.redhat.com/errata/RHSA-2018:0378
access.redhat.com/errata/RHSA-2018:0583
access.redhat.com/errata/RHSA-2018:0584
access.redhat.com/errata/RHSA-2018:0585
access.redhat.com/security/updates/classification/#important
bugzilla.redhat.com/show_bug.cgi?id=1549646
github.com/ruby/ruby/pull/1777
lists.debian.org/debian-lts-announce/2017/12/msg00024.html
lists.debian.org/debian-lts-announce/2017/12/msg00025.html
lists.debian.org/debian-lts-announce/2018/07/msg00012.html
www.debian.org/security/2018/dsa-4259