ruby-2.0.0.648-35.0.1.el7.AXS7

エラータID: AXSA:2019-3890:02

Release date: 
Thursday, May 23, 2019 - 09:07
Subject: 
ruby-2.0.0.648-35.0.1.el7.AXS7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.

Security Fix(es):

* rubygems: Installing a malicious gem may lead to arbitrary code execution (CVE-2019-8324)

* rubygems: Escape sequence injection vulnerability in gem owner (CVE-2019-8322)

* rubygems: Escape sequence injection vulnerability in API response handling (CVE-2019-8323)

* rubygems: Escape sequence injection vulnerability in errors (CVE-2019-8325)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2019-8322
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2019-8323
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2019-8324
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2019-8325
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Solution: 

Update packages.

CVEs: 
CVE-2019-8322
An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur.
CVE-2019-8323
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur.
CVE-2019-8324
An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check.
CVE-2019-8325
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.)
Additional Info: 

N/A

Download: 

SRPMS
  1. ruby-2.0.0.648-35.0.1.el7.AXS7.src.rpm
    MD5: e40cda0329f5cfa05788ae2a9f2a9685
    SHA-256: 415fcb2abcb77337e0f5b146da5caf0e7722402ca47710f3b603ba1c8f4c8e39
    Size: 10.22 MB

Asianux Server 7 for x86_64
  1. ruby-2.0.0.648-35.0.1.el7.AXS7.x86_64.rpm
    MD5: 2ff3c4b6dc3bd4c5942ff3f49a020f05
    SHA-256: dcff6f1641e0f6409d34cff4284c7f8d72f508092d9cb010111692f0bc45c4ea
    Size: 70.87 kB
  2. rubygem-bigdecimal-1.2.0-35.0.1.el7.AXS7.x86_64.rpm
    MD5: df3d1f0514ec4fe83a02ed05e9a3c6a0
    SHA-256: 0717caf0ba12a5b8e1bcbe0cb9489bd4c8e9faa77eb4a93fcdefa499ebb77cf2
    Size: 82.77 kB
  3. rubygem-io-console-0.4.2-35.0.1.el7.AXS7.x86_64.rpm
    MD5: 7450ccde5b8053a4b6c6311faf7122ab
    SHA-256: 78e6cbc71d55c0c27695274107930053bcc0a115652fb5e9e860edca8285c5a7
    Size: 53.83 kB
  4. rubygem-json-1.7.7-35.0.1.el7.AXS7.x86_64.rpm
    MD5: 3ef772c511ff988585b7fe7eae084938
    SHA-256: 9b4b1fc1755ea0774d2d596138a8fed73de76a06112dc96d3cb1549ce530536f
    Size: 79.36 kB
  5. rubygem-psych-2.0.0-35.0.1.el7.AXS7.x86_64.rpm
    MD5: 1fc30d0258031acb448308d7052cf0bc
    SHA-256: d29a575cb712ad33beb59817d1fbf8d2be5afd9cb20de5dc90ce7143e7f6efb9
    Size: 82.25 kB
  6. rubygem-rdoc-4.0.0-35.0.1.el7.AXS7.noarch.rpm
    MD5: 2f53a31a1a1c1d1bddb547d855ff15da
    SHA-256: 65bc3a0e1c60f9aafc311832975ff9097dd14f707b02c25a5b5037c2c71dcf81
    Size: 321.61 kB
  7. rubygems-2.0.14.1-35.0.1.el7.AXS7.noarch.rpm
    MD5: 2e989d0039108a263b6cbf7e029ca10b
    SHA-256: 6f772fe04fe93fc11790425b2a0c93ec8a3d3b5eeef90fad36b55da0318c637d
    Size: 219.40 kB
  8. ruby-irb-2.0.0.648-35.0.1.el7.AXS7.noarch.rpm
    MD5: 12ef9fea08c02316238ab8fc424a3053
    SHA-256: d9a5941d3da80b8a23e7a74bd32c98100b9f13a08f58d695936a4bc578c29e42
    Size: 91.89 kB
  9. ruby-libs-2.0.0.648-35.0.1.el7.AXS7.x86_64.rpm
    MD5: 5a800d416c4f07ee1b19f63efb2238a4
    SHA-256: 6d6592cb3747e6b2f953cdb97f8f9680d4fa52f8df9ecc7b60c494f59849e5e7
    Size: 2.80 MB
  10. ruby-libs-2.0.0.648-35.0.1.el7.AXS7.i686.rpm
    MD5: 9643f8546db99c0f4f6e270a08254eea
    SHA-256: 22049b247f43eac94ad6a1029501f7317bc74199967b57af0d95689e78c44ca5
    Size: 2.83 MB