USN-6838-1 fixed CVE-2024-27281 in Ruby 2.7, Ruby 3.0, Ruby 3.1, and Ruby 3.2. This update provides the corresponding updates for Ruby 2.3 and Ruby 2.5.
Original advisory details:
It was discovered that Ruby RDoc incorrectly parsed certain YAML files. If a user or automated system were tricked into parsing a specially crafted .rdoc_options file, a remote attacker could possibly use this issue to execute arbitrary code. (CVE-2024-27281)
{ "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro", "binaries": [ { "binary_name": "libruby2.3", "binary_version": "2.3.1-2~ubuntu16.04.16+esm9" }, { "binary_name": "libruby2.3-dbg", "binary_version": "2.3.1-2~ubuntu16.04.16+esm9" }, { "binary_name": "libruby2.3-dbgsym", "binary_version": "2.3.1-2~ubuntu16.04.16+esm9" }, { "binary_name": "ruby2.3", "binary_version": "2.3.1-2~ubuntu16.04.16+esm9" }, { "binary_name": "ruby2.3-dbgsym", "binary_version": "2.3.1-2~ubuntu16.04.16+esm9" }, { "binary_name": "ruby2.3-dev", "binary_version": "2.3.1-2~ubuntu16.04.16+esm9" }, { "binary_name": "ruby2.3-dev-dbgsym", "binary_version": "2.3.1-2~ubuntu16.04.16+esm9" }, { "binary_name": "ruby2.3-doc", "binary_version": "2.3.1-2~ubuntu16.04.16+esm9" }, { "binary_name": "ruby2.3-tcltk", "binary_version": "2.3.1-2~ubuntu16.04.16+esm9" }, { "binary_name": "ruby2.3-tcltk-dbgsym", "binary_version": "2.3.1-2~ubuntu16.04.16+esm9" } ] }
{ "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro", "binaries": [ { "binary_name": "libruby2.5", "binary_version": "2.5.1-1ubuntu1.16+esm3" }, { "binary_name": "libruby2.5-dbgsym", "binary_version": "2.5.1-1ubuntu1.16+esm3" }, { "binary_name": "ruby2.5", "binary_version": "2.5.1-1ubuntu1.16+esm3" }, { "binary_name": "ruby2.5-dbgsym", "binary_version": "2.5.1-1ubuntu1.16+esm3" }, { "binary_name": "ruby2.5-dev", "binary_version": "2.5.1-1ubuntu1.16+esm3" }, { "binary_name": "ruby2.5-doc", "binary_version": "2.5.1-1ubuntu1.16+esm3" } ] }