SUMMARY
cPanel, Inc. has released updated RPMs for EasyApache 4 on October 3, 2017, with Ruby 2.4.2. This release addresses vulnerabilities related to CVE-2017-0898, CVE-2017-10784, CVE-2017-14033, and CVE-2017-14064. We strongly encourage all Ruby users to upgrade to version 2.4.2.
AFFECTED VERSIONS
All versions of RubyGems through 2.4.1
SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:
CVE-2017-0898 – HIGH
Ruby 2.4.1
Fix buffer underrun vulnerability in Kernal.sprintf related to CVE-2017-0898
CVE-2017-10784 – MEDIUM
Ruby 2.4.1
Fix escape sequence injection vulnerability related to CVE-2017-10784
CVE-2017-14033 – HIGH
Ruby 2.4.1
Fix buffer underrun vulnerability related to CVE-2017-14033
CVE-2017-14064 – HIGH
Ruby 2.4.1
Fix heap exposure when generating JSON related to CVE-2017-14064
a
SOLUTION
cPanel, Inc. has released updated RPMs for EasyApache 4 on October 3, 2017, with an updated version of Ruby version 2.4.2. Unless you have enabled automatic RPM updates in your cron, update your system with either yum update or WHM’s Run System Update interface.
REFERENCES
https://nvd.nist.gov/vuln/detail/CVE-2017-0898
https://nvd.nist.gov/vuln/detail/CVE-2017-10784
https://nvd.nist.gov/vuln/detail/CVE-2017-14033
https://nvd.nist.gov/vuln/detail/CVE-2017-14064
https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-4-2-released/
For the PGP signed message, please see EA4 2017-10-3 CVE