This bug was fixed in the package libzip-ruby -
0.9.4-1+deb7u1build0.12.04.1
---------------
libzip-ruby (0.9.4-1+deb7u1build0.12.04.1) precise-security; urgency=medium
* fake sync from Debian (LP: #1669894)
libzip-ruby (0.9.4-1+deb7u1) wheezy-security; urgency=high
* Non-maintainer upload by the LTS team.
* Fix CVE-2017-5946:
It was discovered that libzip-ruby, a Ruby module for reading and writing
zip files, is prone to a directory traversal vulnerability. An attacker can
take advantage of this flaw to overwrite arbitrary files during archive
extraction via a .. (dot dot) in an extracted filename.
-- Tyler Hicks <[email protected]> Mon, 13 Mar 2017 15:06:48 +0000
** Changed in: libzip-ruby (Ubuntu)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1669894
Title:
Security - CVE-2017-5946
Status in libzip-ruby package in Ubuntu:
Fix Released
Status in ruby-zip package in Ubuntu:
Fix Released
Status in ruby-zip source package in Xenial:
Incomplete
Status in ruby-zip source package in Yakkety:
Incomplete
Status in ruby-zip source package in Zesty:
Fix Released
Bug description:
This version of rubyzip is vulnerable to directory traversal attacks.
Please see CVE-2017-5946.
It needs to be upgraded to version 1.2.1. It is currently on version
1.1.7.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libzip-ruby/+bug/1669894/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : [email protected]
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help : https://help.launchpad.net/ListHelp
