group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1669894] Re: Security - CVE-2017-5946

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1669894@xxxxxxxxxxxxxxxxxx>
Date: Mon, 13 Mar 2017 18:14:06 -0000
Reply-to: Bug 1669894 <1669894@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package libzip-ruby -
0.9.4-1+deb7u1build0.12.04.1

---------------
libzip-ruby (0.9.4-1+deb7u1build0.12.04.1) precise-security; urgency=medium

  * fake sync from Debian (LP: #1669894)

libzip-ruby (0.9.4-1+deb7u1) wheezy-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Fix CVE-2017-5946:
    It was discovered that libzip-ruby, a Ruby module for reading and writing
    zip files, is prone to a directory traversal vulnerability. An attacker can
    take advantage of this flaw to overwrite arbitrary files during archive
    extraction via a .. (dot dot) in an extracted filename.

 -- Tyler Hicks <tyhicks@xxxxxxxxxxxxx>  Mon, 13 Mar 2017 15:06:48 +0000

** Changed in: libzip-ruby (Ubuntu)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1669894

Title:
  Security - CVE-2017-5946

Status in libzip-ruby package in Ubuntu:
  Fix Released
Status in ruby-zip package in Ubuntu:
  Fix Released
Status in ruby-zip source package in Xenial:
  Incomplete
Status in ruby-zip source package in Yakkety:
  Incomplete
Status in ruby-zip source package in Zesty:
  Fix Released

Bug description:
  This version of rubyzip is vulnerable to directory traversal attacks.
  Please see CVE-2017-5946.

  It needs to be upgraded to version 1.2.1. It is currently on version
  1.1.7.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libzip-ruby/+bug/1669894/+subscriptions