There is a buffer underrun vulnerability in OpenSSL bundled by Ruby. If a malicious string is passed to the decode method of OpenSSL::ASN1, buffer underrun may be caused and the Ruby interpreter may crash. References: https://bugzilla.novell.com/show_bug.cgi?id=1058757 https://www.ruby-lang.org/en/news/2017/09/14/openssl-asn1-buffer-underrun-cve-2017-14033/
Created ruby tracking bugs for this issue: Affects: fedora-all [bug 1492016] Created ruby193-ruby tracking bugs for this issue: Affects: openshift-1 [bug 1492017]
ruby-2.4.2-84.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
It appears that CVE-2017-14033 corresponds to a vulnerability reported via https://hackerone.com/reports/170316 (currently private). The corresponding upstream fix in ruby-openssl: is https://github.com/ruby/openssl/commit/1648afef33c1d97fb203c82291b8a61269e85d3b ruby-openssl v2.0.0, which contains the fix, was pulled in ruby-2.4.0, via the following commit: https://github.com/ruby/ruby/commit/aab0d67a1ff5190ff7a951e40cee742210302aed Thus it seems that, unlike stated upstream, ruby-2.4.0 isn't vulnerable to CVE-2017-14033
External References: https://www.ruby-lang.org/en/news/2017/09/14/openssl-asn1-buffer-underrun-cve-2017-14033/
Statement: This issue did not affect the versions of ruby as shipped with Red Hat Enterprise Linux 5 and 6, and the versions of rh-ruby24-ruby. This issue affects the versions of ruby as shipped with Red Hat Enterprise Linux 7 and the versions of rh-ruby22-ruby and rh-ruby23-ruby as shipped with Red Hat Software Collections 3. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:0378 https://access.redhat.com/errata/RHSA-2018:0378
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Via RHSA-2018:0583 https://access.redhat.com/errata/RHSA-2018:0583
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Via RHSA-2018:0585 https://access.redhat.com/errata/RHSA-2018:0585