FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

rubygems -- deserialization vulnerability

Affected packages
	ruby22-gems	<	2.6.14
	ruby23-gems	<	2.6.14
	ruby24-gems	<	2.6.14

Details

VuXML ID	2c8bd00d-ada2-11e7-82af-8dbff7d75206
Discovery	2017-10-09
Entry	2017-10-10

oss-security mailing list:

There is a possible unsafe object desrialization vulnerability in RubyGems. It is possible for YAML deserialization of gem specifications to bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.

[source]

References

CVE Name	CVE-2017-0903
URL	http://blog.rubygems.org/2017/10/09/2.6.14-released.html
URL	http://www.openwall.com/lists/oss-security/2017/10/10/2