==========================================================================

Ubuntu Security Notice USN-6838-2
February 10, 2025

ruby2.3, ruby2.5 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Ruby could be made to crash or run programs as your login if it
opened a specially crafted file.

Software Description:
- ruby2.5: Object-oriented scripting language
- ruby2.3: Object-oriented scripting language

Details:

USN-6838-1 fixed CVE-2024-27281 in Ruby 2.7, Ruby 3.0, Ruby 3.1,
and Ruby 3.2. This update provides the corresponding updates for
Ruby 2.3 and Ruby 2.5.

Original advisory details:

 It was discovered that Ruby RDoc incorrectly parsed certain YAML files. If
 a user or automated system were tricked into parsing a specially crafted
 .rdoc_options file, a remote attacker could possibly use this issue to
 execute arbitrary code. (CVE-2024-27281)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS
  libruby2.5                      2.5.1-1ubuntu1.16+esm3
                                  Available with Ubuntu Pro
  ruby2.5                         2.5.1-1ubuntu1.16+esm3
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  libruby2.3                      2.3.1-2~ubuntu16.04.16+esm9
                                  Available with Ubuntu Pro
  ruby2.3                         2.3.1-2~ubuntu16.04.16+esm9
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6838-2 
<https://ubuntu.com/security/notices/USN-6838-2>
https://ubuntu.com/security/notices/USN-6838-1 
<https://ubuntu.com/security/notices/USN-6838-1>
  CVE-2024-27281