Debian Rubygems vulnerabilities

CVE-2017-0901 [HIGH] CVE-2017-0901: rubygems - RubyGems version 2.6.12 and earlier fails to validate specification names, allow... RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem. Scope: local bookworm: resolved (fixed in 3.2.0~rc.1-1) bullseye: resolved (fixed in 3.2.0~rc.1-1) forky: resolved (fixed in 3.2.0~rc.1-1) sid: resolved (fixed in 3.2.0~rc.1-1) trixie: resolved (fixed in 3.

CVE-2017-0902 [HIGH] CVE-2017-0902: rubygems - RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerabili... RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls. Scope: local bookworm: resolved (fixed in 3.2.0~rc.1-1) bullseye: resolved (fixed in 3.2.0~rc.1-1) forky: resolved (fixed in 3.2.0~rc.1-1) sid: resolved (fixe

CVE-2017-0900 [HIGH] CVE-2017-0900: rubygems - RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem spe... RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command. Scope: local bookworm: resolved (fixed in 3.2.0~rc.1-1) bullseye: resolved (fixed in 3.2.0~rc.1-1) forky: resolved (fixed in 3.2.0~rc.1-1) sid: resolved (fixed in 3.2.0~rc.1-1) trix

CVE-2017-0899 [CRITICAL] CVE-2017-0899: rubygems - RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem spe... RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences. Scope: local bookworm: resolved (fixed in 3.2.0~rc.1-1) bullseye: resolved (fixed in 3.2.0~rc.1-1) forky: resolved (fixed in 3.2.0~rc.1-1) sid: resolved (fixed

CVE-2015-3900 [MEDIUM] CVE-2015-3900: jruby - RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does no... RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack." Scope: local bookworm: resolved (fixed in 1.7.20.1-2) forky: resolved (fixed in 1.7.20.1-2) si

CVE-2015-4020 [MEDIUM] CVE-2015-4020: jruby - RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does no... RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists b

CVE-2013-4363 [MEDIUM] CVE-2013-4363: rubygems - Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN i... Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amou

CVE-2013-4287 [MEDIUM] CVE-2013-4287: rubygems - Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rub... Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of back

CVE-2012-2125 [MEDIUM] CVE-2012-2125: rubygems - RubyGems before 1.8.23 can redirect HTTPS connections to HTTP, which makes it ea... RubyGems before 1.8.23 can redirect HTTPS connections to HTTP, which makes it easier for remote attackers to observe or modify a gem during installation via a man-in-the-middle attack. Scope: local bookworm: resolved (fixed in 1.8.24-1) bullseye: resolved (fixed in 1.8.24-1) forky: resolved (fixed in 1.8.24-1) sid: resolved (fixed in 1.8.24-1) trixie: resolved (fix

CVE-2012-2126 [MEDIUM] CVE-2012-2126: rubygems - RubyGems before 1.8.23 does not verify an SSL certificate, which allows remote a... RubyGems before 1.8.23 does not verify an SSL certificate, which allows remote attackers to modify a gem during installation via a man-in-the-middle attack. Scope: local bookworm: resolved (fixed in 1.8.24-1) bullseye: resolved (fixed in 1.8.24-1) forky: resolved (fixed in 1.8.24-1) sid: resolved (fixed in 1.8.24-1) trixie: resolved (fixed in 1.8.24-1)