CVE-2017-0903 Amazon Linux Security Advisory for ruby24,ruby22,ruby23: ALAS-2018-978

Unsafe object deserialization through YAML formatted gem specifications:A vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in the context of the ruby interpreter. (CVE-2017-0903 )

Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.

Please refer to Amazon advisory ALAS-2018-978 for affected packages and patching details, or update with your package manager.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

ALAS-2018-978: Amazon Linux (ruby24 (2.3.6-1.18.amzn1) on x86_64)

ALAS-2018-978: Amazon Linux (ruby24 (2.3.6-1.18.amzn1) on src)

ALAS-2018-978: Amazon Linux (ruby23 (2.3.6-1.18.amzn1) on src)

ALAS-2018-978: Amazon Linux (ruby23 (2.3.6-1.18.amzn1) on i686)

ALAS-2018-978: Amazon Linux (ruby24 (2.3.6-1.18.amzn1) on i686)

ALAS-2018-978: Amazon Linux (ruby22 (2.3.6-1.18.amzn1) on noarch)

ALAS-2018-978: Amazon Linux (ruby23 (2.3.6-1.18.amzn1) on x86_64)

ALAS-2018-978: Amazon Linux (ruby22 (2.3.6-1.18.amzn1) on x86_64)

ALAS-2018-978: Amazon Linux (ruby24 (2.3.6-1.18.amzn1) on noarch)

ALAS-2018-978: Amazon Linux (ruby23 (2.3.6-1.18.amzn1) on noarch)

ALAS-2018-978: Amazon Linux (ruby22 (2.3.6-1.18.amzn1) on src)

ALAS-2018-978: Amazon Linux (ruby22 (2.3.6-1.18.amzn1) on i686)