MGASA-2018-0411

Ruby before 2.2.10 allows an HTTP Response Splitting attack. An attacker can inject a crafted key and value into an HTTP response for the HTTP server of WEBrick (CVE-2017-17742).

Directory traversal vulnerability in the Dir.mktmpdir method in the tmpdir library in Ruby before 2.2.10 might allow attackers to create arbitrary directories or files via a .. (dot dot) in the prefix argument (CVE-2018-6914).

In Ruby before 2.2.10, an attacker can pass a large HTTP request with a crafted header to WEBrick server or a crafted body to WEBrick server/handler and cause a denial of service (memory consumption) (CVE-2018-8777).

In Ruby before 2.2.10, an attacker controlling the unpacking format (similar to format string vulnerabilities) can trigger a buffer under-read in the String#unpack method, resulting in a massive and controlled information disclosure (CVE-2018-8778).

In Ruby before 2.2.10, the UNIXServer.open and UNIXSocket.open methods are not checked for null characters. It may be connected to an unintended socket (CVE-2018-8779).

In Ruby before 2.2.10, the Dir.open, Dir.new, Dir.entries and Dir.empty? methods do not check NULL characters. When using the corresponding method, unintentional directory traversal may be performed (CVE-2018-8780).

Due to a bug in the equality check of OpenSSL::X509::Name, if a malicious X.509 certificate is passed to compare with an existing certificate, there is a possibility to be judged incorrectly that they are equal (CVE-2018-16395).

In Array#pack and String#unpack with some formats, the tainted flags of the original data are not propagated to the returned string/array (CVE-2018-16396).