Fluid Attacks Database

Description

RubyGems Improper Verification of Cryptographic Signature vulnerability RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, and Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contain an Improper Verification of Cryptographic Signature vulnerability in package.rb. This can result in a mis-signed gem being installed, as the tarball would contain multiple gem signatures. This vulnerability has been fixed in 2.7.6.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rubygems	rubygems-update	>=2.2.0 <2.7.6	2.7.6
maven	org.jruby:jruby-stdlib	>=0 <9.1.16.0	9.1.16.0
debian 12	rubygems	>=0 <3.2.0~rc.1-1	3.2.0~rc.1-1
debian 14	rubygems	>=0 <3.2.0~rc.1-1	3.2.0~rc.1-1
debian 13	jruby	>=0 <9.1.17.0-1	9.1.17.0-1
debian 11	rubygems	>=0 <3.2.0~rc.1-1	3.2.0~rc.1-1
debian 12	jruby	>=0 <9.1.17.0-1	9.1.17.0-1
debian 14	jruby	>=0 <9.1.17.0-1	9.1.17.0-1
debian 13	rubygems	>=0 <3.2.0~rc.1-1	3.2.0~rc.1-1
rpm rhel7	ruby	<0:2.0.0.648-36.el7	0:2.0.0.648-36.el7

1-10 of 13

Aliases

1. CVE-2018-10000762. NVD-2018-10000763. OSV-2018-10000764. OSV-DEBIAN-2018-10000765. GCVE-2018-10000766. lists.debian.org7. lists.debian.org8. lists.debian.org9. lists.debian.org10. lists.debian.org11. access.redhat.com12. access.redhat.com13. access.redhat.com14. access.redhat.com15. access.redhat.com16. access.redhat.com17. access.redhat.com18. SECURITY-TRACKER-CVE-2018-1000076

References

1. https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f72. https://github.com/rubygems/rubygems/commit/f5042b879259b1f1ce95a0c5082622c6463766933. https://www.debian.org/security/2018/dsa-42594. https://www.debian.org/security/2018/dsa-42195. https://usn.ubuntu.com/3621-16. http://blog.rubygems.org/2018/02/15/2.7.6-released.html7. http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html