ruby:2.5 security, bug fix, and enhancement update
エラータID: AXSA:2021-2345:01
Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.
The following packages have been upgraded to a later upstream version: ruby (2.5.9). (BZ#1952626)
Security Fix(es):
* ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch? (CVE-2019-15845)
* ruby: Regular expression denial of service vulnerability of WEBrick's Digest authentication (CVE-2019-16201)
* ruby: Code injection via command argument of Shell#test / Shell#[] (CVE-2019-16255)
* rubygem-json: Unsafe object creation vulnerability in JSON (CVE-2020-10663)
* ruby: BasicSocket#read_nonblock method leads to information disclosure (CVE-2020-10933)
* ruby: Potential HTTP request smuggling in WEBrick (CVE-2020-25613)
* ruby: XML round-trip vulnerability in REXML (CVE-2021-28965)
* ruby: HTTP response splitting in WEBrick (CVE-2019-16254)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2019-15845
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.
CVE-2019-16201
WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.
CVE-2019-16254
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
CVE-2019-16255
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.
CVE-2020-10663
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
CVE-2020-10933
An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. If a victim calls BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffer to fit the requested size, but no data is copied. Thus, the buffer string provides the previous value of the heap. This may expose possibly sensitive data from the interpreter.
CVE-2020-25613
An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.
CVE-2021-28965
The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.
Modularity name: [security-medium]ruby
Stream name: 2.5
Update packages.
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.
WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. If a victim calls BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffer to fit the requested size, but no data is copied. Thus, the buffer string provides the previous value of the heap. This may expose possibly sensitive data from the interpreter.
An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.
The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.
N/A
SRPMS
- rubygem-abrt-0.3.0-4.module+el8+1287+ade9f336.src.rpm
MD5: 4773ee02d663a584824490bd150136d0
SHA-256: fcc78e11269a083bd1bcb7df25d39269545caced38fe23d277e96ad6edd024bd
Size: 16.05 kB - rubygem-bson-4.3.0-2.module+el8+1287+ade9f336.src.rpm
MD5: a121e7efbdf36e03ac5e8b12805ca6e7
SHA-256: baaf6573a7baf54c9a4842dca9a12bd5ebf0e426929b9bf43fac7aa4e93ea1a5
Size: 90.10 kB - rubygem-bundler-1.16.1-3.module+el8+1287+ade9f336.src.rpm
MD5: 783970238e9870386cf39cc22782057b
SHA-256: 7e63db6ced61875b86a82a6e2baab2ebed5ef59b6cca165feaf8a889d8c54953
Size: 14.63 MB - rubygem-mongo-2.5.1-2.module+el8+1287+ade9f336.src.rpm
MD5: 4234832adfe5ade08e2a34a15c5dcfba
SHA-256: bcc5292345a0f842765962ccdc380e7cea03403593728e38b307064f8fbb711a
Size: 338.61 kB - rubygem-mysql2-0.4.10-4.module+el8+1287+ade9f336.src.rpm
MD5: e091ed630625fefabdf92084b9e2cc2d
SHA-256: 1e3ff740dbf42bda90bd5cb60063feb4efc28d6e802c010544d19ef64bb5a049
Size: 108.18 kB - rubygem-pg-1.0.0-2.0.1.module+el8+1287+ade9f336.src.rpm
MD5: 65e076b9b1167d5764d0fda4c77be533
SHA-256: f78344157e582451e2e3b239a0874e69efd5daf402747b1155aebccc823891ac
Size: 218.66 kB - ruby-2.5.9-107.module+el8+1287+ade9f336.src.rpm
MD5: de0da87a2b8d5f07ddc77ac249c2a9f1
SHA-256: dc3ef774c2a7dcb5f29feec89f3e637a0c77a0cb3a5085855626205c33912f69
Size: 10.91 MB
Asianux Server 8 for x86_64
- rubygem-abrt-0.3.0-4.module+el8+1287+ade9f336.noarch.rpm
MD5: b8e4ec8d61082e86c197d1b962c1909f
SHA-256: 18ea8aa6fd04152d2080fc81ba7a96897133e5513740a069126731543d73e0f7
Size: 12.50 kB - rubygem-abrt-doc-0.3.0-4.module+el8+1287+ade9f336.noarch.rpm
MD5: 677b77cf7ac1ceaa01f70f38350ef0a0
SHA-256: 78054a2abe2d55929904537aa32ec96cbbade8ef4c7cfd29a4e43736534ac7d1
Size: 198.17 kB - rubygem-bson-4.3.0-2.module+el8+1287+ade9f336.x86_64.rpm
MD5: a2db71143d12304de5dbf66485dfb5f7
SHA-256: d823e955969b6499474a26270c219693d2b91ce3090186d7c1960e1bba7c1d8a
Size: 53.37 kB - rubygem-bson-debugsource-4.3.0-2.module+el8+1287+ade9f336.x86_64.rpm
MD5: 70c95a74be0f9b4c40161310c9992d7e
SHA-256: 0afadc2b0eea0f0ebf7a9185178aede1a8d96eb9afd7feae5e438d9e5c15de12
Size: 19.74 kB - rubygem-bson-doc-4.3.0-2.module+el8+1287+ade9f336.noarch.rpm
MD5: 4b85946bf7582b9b64c56c0f6b0a80a2
SHA-256: ff95d253090a3900ba275a550c95c400189641b3be3b5ea62be8a45e5024888c
Size: 373.81 kB - rubygem-bundler-1.16.1-3.module+el8+1287+ade9f336.noarch.rpm
MD5: 2ddea2b9e79a80722d3612355a6726c0
SHA-256: 97f546e9d22a35bc1c4263c4e68e89365790c76bf9ac2bc6dc897cd0eb001907
Size: 350.56 kB - rubygem-bundler-doc-1.16.1-3.module+el8+1287+ade9f336.noarch.rpm
MD5: dba843a15de8e2da915e8777ec4e8fb6
SHA-256: 13ecad32cb04acd0c2ef57dc2a12e1860726f3d5474b6ab13c22f8cc34ebd4fd
Size: 1.23 MB - rubygem-mongo-2.5.1-2.module+el8+1287+ade9f336.noarch.rpm
MD5: 7425bef6c39521bd588138a7cebbbe9a
SHA-256: 3cc282db442c7f422a925e66ec3a7dc385994bd352833c0a25008aaa9eff1ab2
Size: 184.42 kB - rubygem-mongo-doc-2.5.1-2.module+el8+1287+ade9f336.noarch.rpm
MD5: a0b8c747da5d1f7b95b068548542074a
SHA-256: f28d3cab129e9796661a853dd4ff37c8afd33399592f7e88c86048abe4f3f2b1
Size: 1.20 MB - rubygem-mysql2-0.4.10-4.module+el8+1287+ade9f336.x86_64.rpm
MD5: b03c2f218a3d68e2745af7f15ff036f6
SHA-256: 6008953c24db4604875f683d5537fdaeb38c09be0723d2ba7ca003cc62eb5612
Size: 44.13 kB - rubygem-mysql2-debugsource-0.4.10-4.module+el8+1287+ade9f336.x86_64.rpm
MD5: 602ec0d24fc39e536eaa01c6f447104e
SHA-256: 122bd5667c7c186fc4f605ed87e3a6c497bd837ab1ec1309f5fa3eb7476b90d9
Size: 35.87 kB - rubygem-mysql2-doc-0.4.10-4.module+el8+1287+ade9f336.noarch.rpm
MD5: 52a4961d2a508b091f1adbca35abd566
SHA-256: 897cd61b271321d1cb8e6341c00305f6f98a018921be18315d42653fee2ffd82
Size: 275.24 kB - rubygem-pg-1.0.0-2.0.1.module+el8+1287+ade9f336.x86_64.rpm
MD5: 8b503802dc0fc63a55fa234104e40fdf
SHA-256: 419ebc3d46835dba0a1f4b9dc94bd5743dea3307c9ebba55870e15e15a51dabc
Size: 86.22 kB - rubygem-pg-debugsource-1.0.0-2.0.1.module+el8+1287+ade9f336.x86_64.rpm
MD5: 7e39282b91ffa18f9c4ae5f68925f9a4
SHA-256: 0462870b8f6e265a45374c4310003088995e46ecb8fb937c3af8f6d28ebff0f0
Size: 81.30 kB - rubygem-pg-doc-1.0.0-2.0.1.module+el8+1287+ade9f336.noarch.rpm
MD5: 976cc8bd0be0166a6e076be7674301bb
SHA-256: 6271e43ac03b435a132eb7038e01d0d8242c0c9d12cb3784bc15e7c63c007030
Size: 522.87 kB - ruby-2.5.9-107.module+el8+1287+ade9f336.x86_64.rpm
MD5: bf0f60e58af2cd77475d28eef81e2633
SHA-256: 5d730af8e0718d2e23f4e9f290ecb5e3a7f5a535eaddaa3ad658964df0876e46
Size: 85.42 kB - ruby-debugsource-2.5.9-107.module+el8+1287+ade9f336.x86_64.rpm
MD5: 7484d0d750585850479603139168a342
SHA-256: b53d89385441aead0bd555e45a479ae8a96449a02406c208e81762337a830e5a
Size: 3.68 MB - ruby-devel-2.5.9-107.module+el8+1287+ade9f336.x86_64.rpm
MD5: f501d7000591ec770c0222d292753e62
SHA-256: 75a9c2e00bb8bbde1c293b594ed431bdea5c1cfbff45801172fc54d87685b723
Size: 124.84 kB - ruby-doc-2.5.9-107.module+el8+1287+ade9f336.noarch.rpm
MD5: 44871562c7829baffc383cda2a1a0596
SHA-256: 397b50dc387029c84778fccc08b5c655ce34d89f2302c1f0a56476b8f2ca4e42
Size: 5.33 MB - ruby-irb-2.5.9-107.module+el8+1287+ade9f336.noarch.rpm
MD5: d3a2cb81d7f7d64ef07bb037f1d1854c
SHA-256: 4e474dc1251b5d44a5dc45c502ca5615dc2554b18400dfbcaa45371ed03d69f6
Size: 100.92 kB - ruby-libs-2.5.9-107.module+el8+1287+ade9f336.x86_64.rpm
MD5: b41b50568767cca7bc416615334e6bb9
SHA-256: 1c2196b794bdb395e0fae1cc06167e7a57cf19ad39c68940b1108ea08c45954b
Size: 2.92 MB - rubygem-bigdecimal-1.3.4-107.module+el8+1287+ade9f336.x86_64.rpm
MD5: bf2f5c246104c53ecb7768c6ed016e07
SHA-256: d639fede5a6415d18801082fca9cf475fb706a4814034ab4f342893de81f5506
Size: 96.00 kB - rubygem-did_you_mean-1.2.0-107.module+el8+1287+ade9f336.noarch.rpm
MD5: 53a5b97bb20f03c09b37f5da730037e6
SHA-256: ff53aab5682191cb2c1498dc5f1c4c89ae91d0cabed45abd8aab12264e8ad871
Size: 80.06 kB - rubygem-io-console-0.4.6-107.module+el8+1287+ade9f336.x86_64.rpm
MD5: ad9bcbb91fa848ba975bbc534b646e72
SHA-256: d3e880d5f401d781fa6e995dcb068708939277cd8cbf2e13648ada7bdba52254
Size: 65.45 kB - rubygem-json-2.1.0-107.module+el8+1287+ade9f336.x86_64.rpm
MD5: 1d1f2658e8d676a4b585e83df7932623
SHA-256: 89ba4b4462b0da7ee179e8e77aa26089275b63647b439d2d32d70223df2685e2
Size: 89.29 kB - rubygem-minitest-5.10.3-107.module+el8+1287+ade9f336.noarch.rpm
MD5: a2009c799d8567aeea51dad7f4fb321e
SHA-256: 0746d66891d76a2f56920c09a55f8323c5b5163af768656654cef7a056c3dac7
Size: 121.37 kB - rubygem-openssl-2.1.2-107.module+el8+1287+ade9f336.x86_64.rpm
MD5: 3d37588f82f18368466af89287408b23
SHA-256: c4bc5f7e59062fea174f0551655edf1e514e31191d4a4082ddbdfa268e3c8228
Size: 188.14 kB - rubygem-power_assert-1.1.1-107.module+el8+1287+ade9f336.noarch.rpm
MD5: bc9ad98b958f5acef9f0e3841aa8af7a
SHA-256: fee7e042a0aa7e7898faf78bc81a68d3b553fe149c9bd4cea3d9b96905ead264
Size: 68.15 kB - rubygem-psych-3.0.2-107.module+el8+1287+ade9f336.x86_64.rpm
MD5: 566fe2af046eded0f928a8033e003b94
SHA-256: 3af26f7832ba6a7fd64a46495b50884ef5297f8edc71e069063718365a7322be
Size: 93.91 kB - rubygem-rake-12.3.3-107.module+el8+1287+ade9f336.noarch.rpm
MD5: af65c346f5898afbcc85c6e74790e276
SHA-256: 85fbf25746d9a2d1c9eaa4f43c20d5510fdcbbc528de4df0988707766a5c479a
Size: 140.17 kB - rubygem-rdoc-6.0.1.1-107.module+el8+1287+ade9f336.noarch.rpm
MD5: 44b0f46165a73d4d0f32df8aa75f3674
SHA-256: c7180efb7b279f49dea71ca4efebb7b652130501c8f994704dbd6608f9bd16b5
Size: 454.47 kB - rubygem-test-unit-3.2.7-107.module+el8+1287+ade9f336.noarch.rpm
MD5: afe98ef8387bc44d8b6df1f816b35225
SHA-256: f0b7cbe426c657a052e7a523b33cd12226de9d9e6bd5946bcc3026bd7cb38ecf
Size: 180.96 kB - rubygem-xmlrpc-0.3.0-107.module+el8+1287+ade9f336.noarch.rpm
MD5: b19359156058af81a860af9e7726bafa
SHA-256: eea28e023825f26886e03c153d16da4ebd073866fc0286c7619305374c185761
Size: 80.65 kB - rubygems-2.7.6.3-107.module+el8+1287+ade9f336.noarch.rpm
MD5: 7b7b9e7624f9856a76787f4bc7adf069
SHA-256: f0964389b1f1805c5f4f10c6cdec877fc2bba3e759f598efcf7acb03cb28e0b8
Size: 306.87 kB - rubygems-devel-2.7.6.3-107.module+el8+1287+ade9f336.noarch.rpm
MD5: b29bc5ddbef7b631c99ea78b56bca49d
SHA-256: 7c1f544a2b87b1a720237158f41879c1ffabfc92fad7c8a0413d98c8ace6e2c2
Size: 58.97 kB - rubygem-bson-4.3.0-2.module+el8+1287+ade9f336.i686.rpm
MD5: 27a93d3a6436decc201de09c2fbf81d9
SHA-256: 72234d70caa6a6b6b809180624287f7d13361a9297a5ca27df1eb3a696040c67
Size: 53.10 kB - rubygem-bson-debugsource-4.3.0-2.module+el8+1287+ade9f336.i686.rpm
MD5: b45938be66e7e9ea4aa6a315f5636a14
SHA-256: 1a8816480fd69695b320255d8dc6dc045cdcda5378566b707746b6acd900e62a
Size: 19.76 kB - rubygem-mysql2-0.4.10-4.module+el8+1287+ade9f336.i686.rpm
MD5: a3c2913cf988d7215e2ce2f1b6cfe924
SHA-256: 3d041baf45fd85d79fc85e9eed0afb4246c7745e6d181f6ea33ef0f40a04e8c5
Size: 46.82 kB - rubygem-mysql2-debugsource-0.4.10-4.module+el8+1287+ade9f336.i686.rpm
MD5: ce4cd1573ac7df7603a158b29d7c1ac3
SHA-256: fc9b8818ce1897670a35d6b57c300dc6d0c1f27a4b5d33a48f09c01769d23d37
Size: 35.88 kB - rubygem-pg-1.0.0-2.0.1.module+el8+1287+ade9f336.i686.rpm
MD5: 36cd1a41c2e4b28ff3ee2a3f6cab4c51
SHA-256: 8fe42152806c1ff38fc94977cd3ba3148687f46c88e9a140005a37b1a928a976
Size: 92.71 kB - rubygem-pg-debugsource-1.0.0-2.0.1.module+el8+1287+ade9f336.i686.rpm
MD5: 5fcd925df244c0d6f9d93cc11ee85507
SHA-256: 4d8bac1de8b36e39106b1a0fa2141c292d40c7dfee6bc09cb6ac45b8233512e8
Size: 81.32 kB - ruby-2.5.9-107.module+el8+1287+ade9f336.i686.rpm
MD5: dda3a2cde98dd67fa5476026f5493eb9
SHA-256: a30352f188731e45b3a59561b0c26a664e79b4d3a008f985670870a7977af95a
Size: 85.53 kB - ruby-debugsource-2.5.9-107.module+el8+1287+ade9f336.i686.rpm
MD5: df40f322adb0f16aec69eff103ca76fd
SHA-256: 737d5d4e2b25a588c766e9642e70d53c13ddf7e94c2a88e9943324e5f1bf995b
Size: 3.67 MB - ruby-devel-2.5.9-107.module+el8+1287+ade9f336.i686.rpm
MD5: ce1bc73bb57b1bc5245c389e14920238
SHA-256: 0c948baf9899cd0e6b4e5f840f7a9c45f95f77441ad2563d14313536bce5fe36
Size: 124.87 kB - ruby-libs-2.5.9-107.module+el8+1287+ade9f336.i686.rpm
MD5: acc69d9bd76e61a2dc615f02516ddda9
SHA-256: f5ac6c65021f39196e2fdecc6ee09013f9df61348d520e35583e26e9ad5b368a
Size: 3.03 MB - rubygem-bigdecimal-1.3.4-107.module+el8+1287+ade9f336.i686.rpm
MD5: 229e46e08d781eb1b295b520ccc25066
SHA-256: 33feb6cdbb180862da279e75e3d88e5d8a19599f383eb4ebb92ead53c5ba920a
Size: 98.97 kB - rubygem-io-console-0.4.6-107.module+el8+1287+ade9f336.i686.rpm
MD5: 163a4b13a70520db95929547e679213f
SHA-256: 8f3bc44d603f2033809dfe7a08c16b27378fb346fac36c3a0a3b4cba98e1ad83
Size: 66.48 kB - rubygem-json-2.1.0-107.module+el8+1287+ade9f336.i686.rpm
MD5: 4df36d186c2ee7942f2441ffd4d32262
SHA-256: 574d7ccd1b8b164821672e6118da55dbef8dc6acab44da37842d59e18a260878
Size: 90.69 kB - rubygem-net-telnet-0.1.1-107.module+el8+1287+ade9f336.noarch.rpm
MD5: 5d3c6a4b4c3e8e1d3667f6c742e5742a
SHA-256: 66bd2255c164cad339616613eb398a444c80e95a763924aca41539844487cd9d
Size: 69.07 kB - rubygem-openssl-2.1.2-107.module+el8+1287+ade9f336.i686.rpm
MD5: 85a60f995c5089abb3658ac35aebbd62
SHA-256: 670f82d168b25490c5fb3e4535a6920ec0fdb583caeacc6672d80780772dfec0
Size: 200.42 kB - rubygem-psych-3.0.2-107.module+el8+1287+ade9f336.i686.rpm
MD5: 532e946b4cdf52e84cfd3f17ad201c87
SHA-256: e70e90321b01b6e1cbd4354067b3714a0780dafbf73f95925971228e1ba6333f
Size: 95.27 kB