Debian 10216 Published by

A ruby2.1 security update has been released for Debian GNU/Linux 8 LTS to address a heap overflow vulnerability in the Psych::Emitter startdocument function of Ruby.



Package : ruby2.1
Version : 2.1.5-2+deb8u9
CVE ID : CVE-2016-2338

An exploitable heap overflow vulnerability exists in the
Psych::Emitter startdocument function of Ruby. In Psych::Emitter
startdocument function heap buffer "head" allocation is made based on
tags array length. Specially constructed object passed as element of
tags array can increase this array size after mentioned allocation and
cause heap overflow

For Debian 8 "Jessie", this problem has been fixed in version
2.1.5-2+deb8u9.

We recommend that you upgrade your ruby2.1 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at:   https://wiki.debian.org/LTS