ruby:2.7 security update

エラータID: AXSA:2021-2407:01

Release date: 
Thursday, September 2, 2021 - 07:24
Subject: 
ruby:2.7 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.

Security Fix(es):

* rubygem-bundler: Dependencies of gems with explicit source may be installed from a different source (CVE-2020-36327)
* rubygem-rdoc: Command injection vulnerability in RDoc (CVE-2021-31799)
* ruby: FTP PASV command response can cause Net::FTP to connect to arbitrary host (CVE-2021-31810)
* ruby: StartTLS stripping vulnerability in Net::IMAP (CVE-2021-32066)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2020-36327
Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product.
CVE-2021-31799
In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.
CVE-2021-31810
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions).
CVE-2021-32066
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."

Modularity name: ruby
Stream name: 2.7

Solution: 

Update packages.

CVEs: 
CVE-2020-36327
Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product.
CVE-2021-31799
In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.
CVE-2021-31810
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions).
CVE-2021-32066
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
Additional Info: 

N/A

Download: 

SRPMS
  1. rubygem-abrt-0.4.0-1.module+el8+1302+a6d55447.src.rpm
    MD5: f164f7cba6142373f6b7755477cf57e4
    SHA-256: 7816db6408d7f1923d7eb244a5f2a8f9b0930483bd6347b6ea50548b9ea4d764
    Size: 16.63 kB
  2. rubygem-bson-4.8.1-1.module+el8+1302+a6d55447.src.rpm
    MD5: 3e8f850150766b59dc3a8bcd60238da2
    SHA-256: 6d9ca554aad1690c3821d1248b1a2734f1769b3924c0b9508209399fd390d2a9
    Size: 130.27 kB
  3. rubygem-mongo-2.11.3-1.module+el8+1302+a6d55447.src.rpm
    MD5: 5bebb1b3fadcccb3405c6943841c7409
    SHA-256: 5f191fe2995447923f79f9d702aadcca5099783f30733a83452845252e065f3f
    Size: 648.34 kB
  4. rubygem-mysql2-0.5.3-1.module+el8+1302+a6d55447.src.rpm
    MD5: 39f6187a13a40c6e4bd5aacc6fef9a3b
    SHA-256: 3989d3ec7f15ef4af67e25762f01374b16e3c0ddaad0974a8a7ad9877dc9ed24
    Size: 109.14 kB
  5. rubygem-pg-1.2.3-1.module+el8+1302+a6d55447.src.rpm
    MD5: ce82f84e08c0e509ee1cd39bf03ae546
    SHA-256: 0c001090f3ce948a3fb442266b75dd0a01367051f67ca634aa666b3642263354
    Size: 201.29 kB
  6. ruby-2.7.4-137.module+el8+1302+a6d55447.src.rpm
    MD5: 3cd3e92a043fdae102cf03ba4ad82354
    SHA-256: bdd4d7e6e1a96c00e65d4155f659fc009f536fcfc3235f506149a88e6a7307e4
    Size: 40.07 MB

Asianux Server 8 for x86_64
  1. rubygem-abrt-0.4.0-1.module+el8+1302+a6d55447.noarch.rpm
    MD5: b72ad4a338ca348dd9d4db710582d230
    SHA-256: c6d0d81fed6123472c8f0677d59f8a2f3d9da360d9824fcb0b1d64015ed74e28
    Size: 12.55 kB
  2. rubygem-abrt-doc-0.4.0-1.module+el8+1302+a6d55447.noarch.rpm
    MD5: c235955675aaf54f641d02922fceed05
    SHA-256: d720b2a7847f4a92cf4811a337b82b99b91bf4fc18388478b4749426010c627e
    Size: 198.15 kB
  3. rubygem-bson-4.8.1-1.module+el8+1302+a6d55447.x86_64.rpm
    MD5: 735ec3c1b2c3896afe18174cd6b496ce
    SHA-256: 02ce6ce2102a9d6958ff69ec1f2364896dd18b2741c0c4416291296b75c7314c
    Size: 66.20 kB
  4. rubygem-bson-debugsource-4.8.1-1.module+el8+1302+a6d55447.x86_64.rpm
    MD5: 95f33d848f89ced7a077dec043aa1f13
    SHA-256: 3409190ca162b02968ef9fbc5c0bd8346d480f2168fc26b02e68a5310e2cc33f
    Size: 24.87 kB
  5. rubygem-bson-doc-4.8.1-1.module+el8+1302+a6d55447.noarch.rpm
    MD5: a4ff1647dfeeae44e9f4f61283668a71
    SHA-256: 4de3d7828bd9bd9d7a301c32ed2a4096f395ff8b1ed2145cfe60bac8275a1b95
    Size: 421.59 kB
  6. rubygem-mongo-2.11.3-1.module+el8+1302+a6d55447.noarch.rpm
    MD5: 03bb1c73948c724c1236846e77949f23
    SHA-256: 7118d058f82bda31d1607f318790e0b98cb5efcbff11aaa81fbc2ddbea421415
    Size: 296.90 kB
  7. rubygem-mongo-doc-2.11.3-1.module+el8+1302+a6d55447.noarch.rpm
    MD5: 6b083daa9a6d26baf9e4e3cabe84e9cb
    SHA-256: ee00cb81f7eeb0eb1cdc2cbd3c884033675956287d27a46a47b534c15365d4f3
    Size: 1.65 MB
  8. rubygem-mysql2-0.5.3-1.module+el8+1302+a6d55447.x86_64.rpm
    MD5: 7208cce53b7618e30ec978cda0dbfe42
    SHA-256: 38724e29dddc8e57bf84dd188485cfcaaf259ef4e7d5128b0f2c19872c0e5e69
    Size: 46.55 kB
  9. rubygem-mysql2-debugsource-0.5.3-1.module+el8+1302+a6d55447.x86_64.rpm
    MD5: 358cab73f78e6d1d89972a5ec3841491
    SHA-256: f254d256d181c89227732f3dd579e883162009e65077c2fece4239adc0106910
    Size: 36.71 kB
  10. rubygem-mysql2-doc-0.5.3-1.module+el8+1302+a6d55447.noarch.rpm
    MD5: 1e17620c3e03349327fd05abff981b6f
    SHA-256: 72b7356fc4c1d88a9307a626dd92827d70c4cfac94c6a9afbf06019fef966986
    Size: 247.18 kB
  11. rubygem-pg-1.2.3-1.module+el8+1302+a6d55447.x86_64.rpm
    MD5: 110fd7828e8c6c4c8787407389f0339b
    SHA-256: 994c3fde8e14fbedbd7921af0e76da68154b2721f01c2c0d7a94cb63228b003a
    Size: 99.87 kB
  12. rubygem-pg-debugsource-1.2.3-1.module+el8+1302+a6d55447.x86_64.rpm
    MD5: 1ec2fb8f6933bbf9894dcd064023806a
    SHA-256: 92e395eb59649d77579d01f8470f2527c178be5aaa9a6eb432f4647772b1a127
    Size: 98.11 kB
  13. rubygem-pg-doc-1.2.3-1.module+el8+1302+a6d55447.noarch.rpm
    MD5: 5577c89923c19aecf9f9086576ae074d
    SHA-256: 1041873ce499ee6930881a1b0a8c75f8559ef7f5136c0cd20a85b262507522eb
    Size: 525.98 kB
  14. ruby-2.7.4-137.module+el8+1302+a6d55447.x86_64.rpm
    MD5: 87f99b6a24e15513d872eb643f0dcd69
    SHA-256: f51e0f42ccfe27cb7fc35028da77230c982c3b6a553fd949b330fb02655a7802
    Size: 87.35 kB
  15. ruby-debugsource-2.7.4-137.module+el8+1302+a6d55447.x86_64.rpm
    MD5: 437de4d02d837da0590aeea082f87479
    SHA-256: 46f7f657353ff4baf85e00ff4a8bacdca3f64ba47909dc95da99171b1fed5590
    Size: 3.93 MB
  16. ruby-default-gems-2.7.4-137.module+el8+1302+a6d55447.noarch.rpm
    MD5: c0f7447a85262dd855feb184065ffdc9
    SHA-256: aaf89e99dfba78cc204aea39a9de6b2c444ec571977f701816c78a258b210012
    Size: 72.13 kB
  17. ruby-devel-2.7.4-137.module+el8+1302+a6d55447.x86_64.rpm
    MD5: fc09b86ba44efee51bcccd67899a2761
    SHA-256: e5f805cc29d178c0d4a013f81b6436b81f8a3bbda6e8839aaa15725ae28dd9f2
    Size: 260.67 kB
  18. ruby-doc-2.7.4-137.module+el8+1302+a6d55447.noarch.rpm
    MD5: f23ae51887928f66587081d9f95fa4c1
    SHA-256: f10d509d356cce23d24f008a77ef510cf88fb77bf213e02b50629ccd002b5826
    Size: 6.44 MB
  19. ruby-libs-2.7.4-137.module+el8+1302+a6d55447.x86_64.rpm
    MD5: 835506b590eb9a9ffc0f39bf4b09cc68
    SHA-256: 1ab99808174dfce5faeacbd77bf258d03283a9e477b8d9b489a378ac16447759
    Size: 3.18 MB
  20. rubygem-bigdecimal-2.0.0-137.module+el8+1302+a6d55447.x86_64.rpm
    MD5: 254328e183bd11bdd71e90f7f313c900
    SHA-256: b6f6a42c3cdc736c1a69d605a3f23a8a370de92301cb3d9e9a7fac0be130c8ef
    Size: 99.41 kB
  21. rubygem-bundler-2.2.24-137.module+el8+1302+a6d55447.noarch.rpm
    MD5: 12f3299796713a1a86f50bdb972094c7
    SHA-256: 5089970cb0da26c93e471b4e39287ceeec52a335c6fea1049f79b51aefc92247
    Size: 443.05 kB
  22. rubygem-io-console-0.5.6-137.module+el8+1302+a6d55447.x86_64.rpm
    MD5: dc0d3b603c76e04049baad64b914a249
    SHA-256: ee130ab7b67760d35370d396d5515b2fca49a5ed7afdc70269c17595cbea801f
    Size: 70.04 kB
  23. rubygem-irb-1.2.6-137.module+el8+1302+a6d55447.noarch.rpm
    MD5: 8e733b39125d92ecf9bf26d4f522cf39
    SHA-256: e1ebe800dc50abecb4d81deea971a6f0ecab4a2faea82588ee5fd1548d741513
    Size: 114.83 kB
  24. rubygem-json-2.3.0-137.module+el8+1302+a6d55447.x86_64.rpm
    MD5: b5d42be4b0abe4435a21e30715d08541
    SHA-256: 057bd5c6ee115c77ef68149d6a90f4c0c68ad54a4d2242574307241a40f121d6
    Size: 91.66 kB
  25. rubygem-minitest-5.13.0-137.module+el8+1302+a6d55447.noarch.rpm
    MD5: 2048ca42a9f4a09001804a50cbc7d34e
    SHA-256: 94407b29e25f30d19c18d00416e380dea7d0731259465c417fddbd932d6fbcc9
    Size: 129.04 kB
  26. rubygem-net-telnet-0.2.0-137.module+el8+1302+a6d55447.noarch.rpm
    MD5: 392f0eaedd3b606438c08dce93d1995a
    SHA-256: bc69a03c8e646a123113ef62d053e1aa5f9d78cd20f61b210b30233fd5aea0b5
    Size: 70.32 kB
  27. rubygem-openssl-2.1.2-137.module+el8+1302+a6d55447.x86_64.rpm
    MD5: 3b8e51b87247107e8fe97fbe2d91a2b6
    SHA-256: 328672bc09ec56daf32c57341c980142b16aff1afe746f34df19717f153d2fa3
    Size: 195.23 kB
  28. rubygem-power_assert-1.1.7-137.module+el8+1302+a6d55447.noarch.rpm
    MD5: 61f3db96c7fb4f61682fd770270c9bbd
    SHA-256: 33d840bd19fe7bbd7445efc036c393998dbc80bbe7876c758a46db5210c6016c
    Size: 69.68 kB
  29. rubygem-psych-3.1.0-137.module+el8+1302+a6d55447.x86_64.rpm
    MD5: fda70a982b55555120b2c654015899c9
    SHA-256: 126ae6f46a039c90e3baf6473a436531500ba255290e59cc90d4745120d9c489
    Size: 95.62 kB
  30. rubygem-rake-13.0.1-137.module+el8+1302+a6d55447.noarch.rpm
    MD5: 0eb73966814a0ccc57e7ae3d2fbc7aa4
    SHA-256: c703b8a2ffa8cededf41a043024374e26eb629015a769ef6e0caad746aeb0ef9
    Size: 141.35 kB
  31. rubygem-rdoc-6.2.1.1-137.module+el8+1302+a6d55447.noarch.rpm
    MD5: c694e129e65f42b41e654e42f63a618c
    SHA-256: 035b27c4c98eeecc12ec2db7e887fbce44795648b8d3051d7f2e51cb499d1bc7
    Size: 453.34 kB
  32. rubygem-test-unit-3.3.4-137.module+el8+1302+a6d55447.noarch.rpm
    MD5: 94f4c351e23d72aac627b3c35c2cee3e
    SHA-256: 59df9d4866a30466aefd24982f68f8edc6f4d917725784811cc0bece7e83ef06
    Size: 185.28 kB
  33. rubygem-xmlrpc-0.3.0-137.module+el8+1302+a6d55447.noarch.rpm
    MD5: b137375df7f4341ea6dfb9badaf1f8ba
    SHA-256: 3fa0ba4389421740c7c4548ee145cb6edfce8b7e26691947a3430fab4663919e
    Size: 81.80 kB
  34. rubygems-3.1.6-137.module+el8+1302+a6d55447.noarch.rpm
    MD5: 93685cd0c0f995482efc8bd553cab577
    SHA-256: a2b0cb43ca10a189fb77169822e4f78c20781a43b1f51f6180fcf6270101f9d2
    Size: 307.11 kB
  35. rubygems-devel-3.1.6-137.module+el8+1302+a6d55447.noarch.rpm
    MD5: 6f21913ede4a157ba5e2ac5d24d79041
    SHA-256: 9e479f517240c53fbc2d4ba679efbde7669c34c5746ca93492794eec3b870110
    Size: 60.08 kB
  36. ruby-2.7.4-137.module+el8+1302+a6d55447.i686.rpm
    MD5: 6e99e0fa2fde5bae690e875121099ccb
    SHA-256: a93fec17c3061fbf950b3cc17bdc9025233fe6dfa5cd13c634fd8875269f099d
    Size: 87.45 kB
  37. ruby-debugsource-2.7.4-137.module+el8+1302+a6d55447.i686.rpm
    MD5: 3c0e6a345403b0eb52d16953692a5028
    SHA-256: b056d7222cad07fa72cae4ab1e6694c8e2d12131d62e5911ae46fa64bb6dd5cd
    Size: 3.93 MB
  38. ruby-devel-2.7.4-137.module+el8+1302+a6d55447.i686.rpm
    MD5: 4253b6cccf60c74fea5532111b067da7
    SHA-256: 5ad2ddcf1743b0faecec9b5b5507ddf9f04e752ee0d1c486277d11e9687405d3
    Size: 260.23 kB
  39. ruby-libs-2.7.4-137.module+el8+1302+a6d55447.i686.rpm
    MD5: 5c621bcedbf89323a9795266582d22f0
    SHA-256: 592afc6c853416acb81938a6d60ea90eae3c4718a45bf3b8d298203a810e28ab
    Size: 3.30 MB
  40. rubygem-bigdecimal-2.0.0-137.module+el8+1302+a6d55447.i686.rpm
    MD5: 191f87399cdb02f93cb475c605c9308f
    SHA-256: 47fd702a103766a0d48cad814d31ecf6488532627a799bc74c3e86bd7b8d6e97
    Size: 102.65 kB
  41. rubygem-io-console-0.5.6-137.module+el8+1302+a6d55447.i686.rpm
    MD5: 1af208cae0696bd79e778faf08a49ee8
    SHA-256: 7cdaa5bf72b92995cf092b2d3285971f2b0f0c752443201c6387ed98b990043b
    Size: 71.78 kB
  42. rubygem-json-2.3.0-137.module+el8+1302+a6d55447.i686.rpm
    MD5: ac7b40838b26c8c6fc6731c21920e2b8
    SHA-256: b82933c80d205cf3a122111388aaacb313ecff23755dc32bca650d27811eede0
    Size: 93.31 kB
  43. rubygem-openssl-2.1.2-137.module+el8+1302+a6d55447.i686.rpm
    MD5: a722f6b508004c119def90c3352937f3
    SHA-256: c32274057a3b5a85105363397008b0153f80339632ea76f840003706ef2b3937
    Size: 207.38 kB
  44. rubygem-psych-3.1.0-137.module+el8+1302+a6d55447.i686.rpm
    MD5: 56b2bc57ee7ffddd00546d1466464f1e
    SHA-256: df70682a4ddd854b46f91c31f1c09c9332682b63c514c9a8bd710426766058c4
    Size: 97.14 kB