Debian Long Term Support / LTS Security Information / 2020 / Security Information -- DLA-2158-1 ruby2.1

Debian Security Advisory

DLA-2158-1 ruby2.1 -- LTS security update

Date Reported:

25 Mar 2020

Affected Packages:

ruby2.1

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2016-2338.

More information:

An exploitable heap overflow vulnerability exists in the Psych::Emitter startdocument function of Ruby. In Psych::Emitter startdocument function heap buffer head allocation is made based on tags array length. Specially constructed object passed as element of tags array can increase this array size after mentioned allocation and cause heap overflow

For Debian 8 Jessie, this problem has been fixed in version 2.1.5-2+deb8u9.

We recommend that you upgrade your ruby2.1 packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS