rh-ruby26-ruby-2.6.7-119.el7

エラータID: AXSA:2021-1768:01

Release date: 
Friday, June 4, 2021 - 03:58
Subject: 
rh-ruby26-ruby-2.6.7-119.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.

The following packages have been upgraded to a later upstream version: rh-ruby26-ruby (2.6.7).

Security Fix(es):

* rubygem-bundler: Insecure permissions on directory in /tmp/ allows for execution of malicious code (CVE-2019-3881)
* ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch? (CVE-2019-15845)
* ruby: Regular expression denial of service vulnerability of WEBrick's Digest authentication (CVE-2019-16201)
* ruby: Code injection via command argument of Shell#test / Shell#[] (CVE-2019-16255)
* rubygem-json: Unsafe object creation vulnerability in JSON (CVE-2020-10663)
* ruby: BasicSocket#read_nonblock method leads to information disclosure (CVE-2020-10933)
* ruby: Potential HTTP request smuggling in WEBrick (CVE-2020-25613)
* ruby: XML round-trip vulnerability in REXML (CVE-2021-28965)
* ruby: HTTP response splitting in WEBrick (CVE-2019-16254)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* rh-ruby26-ruby: Resolv::DNS: timeouts if multiple IPv6 name servers are given and address contains leading zero [rhscl-3]

CVE-2019-15845
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.
CVE-2019-16201
WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.
CVE-2019-16254
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
CVE-2019-16255
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.
CVE-2019-3881
Bundler prior to 2.1.0 uses a predictable path in /tmp/, created with insecure permissions as a storage location for gems, if locations under the user's home directory are not available. If Bundler is used in a scenario where the user does not have a writable home directory, an attacker could place malicious code in this directory that would be later loaded and executed.
CVE-2020-10663
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
CVE-2020-10933
An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. If a victim calls BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffer to fit the requested size, but no data is copied. Thus, the buffer string provides the previous value of the heap. This may expose possibly sensitive data from the interpreter.
CVE-2020-25613
An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.
CVE-2021-28965
The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.

Solution: 

Update packages.

CVEs: 
CVE-2019-15845
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.
CVE-2019-16201
WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.
CVE-2019-16254
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
CVE-2019-16255
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.
CVE-2019-3881
Bundler prior to 2.1.0 uses a predictable path in /tmp/, created with insecure permissions as a storage location for gems, if locations under the user's home directory are not available. If Bundler is used in a scenario where the user does not have a writable home directory, an attacker could place malicious code in this directory that would be later loaded and executed.
CVE-2020-10663
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
CVE-2020-10933
An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. If a victim calls BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffer to fit the requested size, but no data is copied. Thus, the buffer string provides the previous value of the heap. This may expose possibly sensitive data from the interpreter.
CVE-2020-25613
An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.
CVE-2021-28965
The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.
Additional Info: 

N/A

Download: 

SRPMS
  1. rh-ruby26-ruby-2.6.7-119.el7.src.rpm
    MD5: 3d953476efbd2044737eecedc2f48845
    SHA-256: 976c2c40fba9fb928afa286385de6958ea023de283fa679ef39798123cbdff4b
    Size: 11.15 MB

Asianux Server 7 for x86_64
  1. rh-ruby26-ruby-2.6.7-119.el7.x86_64.rpm
    MD5: c79846a0c3935ec0d89dbc4d3d85b9a9
    SHA-256: c0ff7c7f1fd05b3a7eff738428c09a9c29275a0a0993308fa407848678793ce4
    Size: 78.04 kB
  2. rh-ruby26-ruby-devel-2.6.7-119.el7.x86_64.rpm
    MD5: f6ddedab2140ccaf7a7fbe12c97b11fd
    SHA-256: 7e6688cb721571d3efaf6e3bfa701913b0b6c3311a48bdea0a6185a9f8feb3b6
    Size: 230.39 kB
  3. rh-ruby26-ruby-doc-2.6.7-119.el7.noarch.rpm
    MD5: ba8eba71535bbb8a4aafe4e5b6b6adb7
    SHA-256: 093b143faee57137f211441bd6513ca5fe7147db396949ff64328d41043eecd8
    Size: 6.33 MB
  4. rh-ruby26-rubygem-bigdecimal-1.4.1-119.el7.x86_64.rpm
    MD5: b62778d98d828ab2f230928f610ca0cc
    SHA-256: 3c4d1291bebe5d014efef803252fea950b47cd2903ddf52a9721bf5ce8293a69
    Size: 91.02 kB
  5. rh-ruby26-rubygem-bundler-1.17.2-119.el7.noarch.rpm
    MD5: b8dca1cc049a104b2f3d5cb2e336ff49
    SHA-256: 90204812222c4ca25f85aafee3b084e5f3cabb8dd94d26d4961a8a002a9f567a
    Size: 349.73 kB
  6. rh-ruby26-rubygem-did_you_mean-1.3.0-119.el7.noarch.rpm
    MD5: a7b4b590ced5a3276a3716ded4e9957b
    SHA-256: 10cf3a0ada009c203215cd0e4418b42b24a2267c2ce610c7d8fba8e4a634b050
    Size: 75.70 kB
  7. rh-ruby26-rubygem-io-console-0.4.7-119.el7.x86_64.rpm
    MD5: f8f3a04244e54825623b8126429c3b34
    SHA-256: 069c9dd76139f096286e9a8e596a064486a1edc53e5375118684381c64314b0a
    Size: 58.07 kB
  8. rh-ruby26-rubygem-irb-1.0.0-119.el7.noarch.rpm
    MD5: 65275b5201641cc7a00142e328af6c79
    SHA-256: 5822dd908daf4b6e46c05017f478fa8252b78c2c948dd4907d88eda73bb891c5
    Size: 97.64 kB
  9. rh-ruby26-rubygem-json-2.1.0-119.el7.x86_64.rpm
    MD5: 119486edd34235d4b40dc89dc4d1c17d
    SHA-256: 9feef2dccc82206de9252e04dcdd532e5e327468e743e1bd6aee8504eec35d87
    Size: 81.50 kB
  10. rh-ruby26-rubygem-minitest-5.11.3-119.el7.noarch.rpm
    MD5: a1b15434a836a887d5d3d0e031a9fe64
    SHA-256: 29a4ea56c1c458e90686c5e8371589e3f34cf69cf630d32a285beb381c966968
    Size: 117.62 kB
  11. rh-ruby26-rubygem-net-telnet-0.2.0-119.el7.noarch.rpm
    MD5: 188a0e9553c602acc3a605d026198cc4
    SHA-256: 11aa37aad98eb830883701a8eaeeb0a4b7b1c745f8cb1d44e4c029ff73bea6cd
    Size: 62.52 kB
  12. rh-ruby26-rubygem-openssl-2.1.2-119.el7.x86_64.rpm
    MD5: a259501ada404d5b493763671ffdad07
    SHA-256: e7a78bbd01c9deb2b845c9facfe812add7528791fcc9a5920eefe0b4165c1f8f
    Size: 178.12 kB
  13. rh-ruby26-rubygem-power_assert-1.1.3-119.el7.noarch.rpm
    MD5: 9151e7efa3a1227a8603718ad14548de
    SHA-256: ba4a0314ef5ee9f65d478f404d489c6d9ffbee359b98e3c75c3abaa900cf0071
    Size: 61.93 kB
  14. rh-ruby26-rubygem-psych-3.1.0-119.el7.x86_64.rpm
    MD5: e7ea4b0db0884d843afd9be9bc76697b
    SHA-256: 947cbe76bda41cc850b61859480f5f924d0bdbb819b466cf1fae9e8925290598
    Size: 87.35 kB
  15. rh-ruby26-rubygem-rake-12.3.3-119.el7.noarch.rpm
    MD5: 6eb2f1cf0cd32e9f3e7d620081280a19
    SHA-256: d931b7d904a2cf190b758b07793d792a2b2342c4b776b1b4445950c55c8de851
    Size: 134.13 kB
  16. rh-ruby26-rubygem-rdoc-6.1.2-119.el7.noarch.rpm
    MD5: 8fb4301868b9a97b9028f4bd3cb56332
    SHA-256: 138ad00ff567f8aec7a3d77860c84cb9ddad2c32098cace388a0d1be82bd5f86
    Size: 449.84 kB
  17. rh-ruby26-rubygems-3.0.3.1-119.el7.noarch.rpm
    MD5: 692b643701416ccdf5aa2ec7dc5a9bbe
    SHA-256: 8e0e8c32fa92872ceed0495ae0737be63ac8e4559637f9132768bda5b6080cc1
    Size: 309.96 kB
  18. rh-ruby26-rubygems-devel-3.0.3.1-119.el7.noarch.rpm
    MD5: aed10d0d9d465d79c8819a3598e34b5f
    SHA-256: 4183730c69cf373bd4ebfdba620690b26a938315582ffa6a69909fd256b1f760
    Size: 49.94 kB
  19. rh-ruby26-rubygem-test-unit-3.2.9-119.el7.noarch.rpm
    MD5: 7f541168cb0632ed0400447852dc3975
    SHA-256: 0fff6c467fab7a8482a2cd95585326962547999cfd719b02f7f0d90ce108e5e4
    Size: 178.59 kB
  20. rh-ruby26-rubygem-xmlrpc-0.3.0-119.el7.noarch.rpm
    MD5: 01bd5aa89f1e82b19a120f3cccf63807
    SHA-256: c3be4150c32a2a8a7eddd10c7967790b609d189a4d263dbb6f146d2c924467b3
    Size: 74.08 kB
  21. rh-ruby26-ruby-libs-2.6.7-119.el7.x86_64.rpm
    MD5: bf8ca2bac5fbe531275a309da6605b25
    SHA-256: 80942a9b3843ef21fed37d283717b8f133ff0d0f2703beee2d99e92a16dda12d
    Size: 2.95 MB