Sha256: 1eebfa25051d8d3334044c0a5edae8ba3606d498a3cd4b33aefd85c41d53ac64

Contents?: true

Size: 904 Bytes

Versions: 3

Compression:

Stored size: 904 Bytes

Contents

---
engine: ruby
cve: 2017-14033
url: https://www.ruby-lang.org/en/news/2017/09/14/openssl-asn1-buffer-underrun-cve-2017-14033/
title: Buffer underrun vulnerability in OpenSSL ASN1 decode
date: 2017-09-14
description: |
  There is a buffer underrun vulnerability in OpenSSL bundled by Ruby.

  If a malicious string is passed to the decode method of OpenSSL::ASN1,
  buffer underrun may be caused and the Ruby interpreter may crash.
  All users running an affected release should either upgrade or use one of
  the workarounds immediately.

  The OpenSSL library is also distributed as a gem. If you can’t upgrade Ruby
  itself, install OpenSSL gem newer than version 2.0.0. But this workaround is
  only available with Ruby 2.4 series. When using Ruby 2.2 series or 2.3
  series, the gem does not override the bundled version of OpenSSL.
patched_versions:
  - "~> 2.2.8"
  - "~> 2.3.5"
  - ">= 2.4.2"

Version data entries

3 entries across 3 versions & 2 rubygems

Version Path
bundler-audit-0.7.0.1 data/ruby-advisory-db/rubies/ruby/CVE-2017-14033.yml
bundler-budit-0.6.2 data/ruby-advisory-db/rubies/ruby/CVE-2017-14033.yml
bundler-budit-0.6.1 data/ruby-advisory-db/rubies/ruby/CVE-2017-14033.yml