rh-ruby27-ruby-2.7.4-130.el7
エラータID: AXSA:2021-2423:02
Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.
The following packages have been upgraded to a later upstream version: rh-ruby27-ruby (2.7.4).
Security Fix(es):
* rubygem-bundler: Dependencies of gems with explicit source may be installed from a different source (CVE-2020-36327)
* rubygem-rdoc: Command injection vulnerability in RDoc (CVE-2021-31799)
* ruby: FTP PASV command response can cause Net::FTP to connect to arbitrary host (CVE-2021-31810)
* ruby: StartTLS stripping vulnerability in Net::IMAP (CVE-2021-32066)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2020-36327
Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product.
CVE-2021-31799
In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.
CVE-2021-31810
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions).
CVE-2021-32066
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
Update packages.
Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product.
In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions).
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
N/A
SRPMS
- rh-ruby27-ruby-2.7.4-130.el7.src.rpm
MD5: 36ae490538ccc87948b04c6c8c385337
SHA-256: 7305360902325562ed877485c18ccc9a8c0a012c13059e408cc1fd9f1d92f069
Size: 40.07 MB
Asianux Server 7 for x86_64
- rh-ruby27-ruby-2.7.4-130.el7.x86_64.rpm
MD5: 82b4594d2fdd9793a0de8e68940c7ba7
SHA-256: cd117c57068be355f10efad7a24f659347e384e3183e7c435a7700b2ad8176f8
Size: 78.95 kB - rh-ruby27-ruby-devel-2.7.4-130.el7.x86_64.rpm
MD5: bc0e9a2ac7fbfbd5027f610d10535a56
SHA-256: 2f360f76a812ceb51fd9ad28dbca6c1d1585ceaecd32e27548c9af7cca50d062
Size: 246.21 kB - rh-ruby27-ruby-doc-2.7.4-130.el7.noarch.rpm
MD5: 78c2420f506ae01c544f98bdea0dd86f
SHA-256: b058b911962d1d6b9452dc7a4b4b8a374c6a8e20bfa4cb000f44f74c9b03545c
Size: 6.77 MB - rh-ruby27-rubygem-bigdecimal-2.0.0-130.el7.x86_64.rpm
MD5: 06736422beebf917c9831bd7382ee89f
SHA-256: f4a4172533bd5a40a788da9b8244475e505a766ceaecb8c79fa608d4e13fda2a
Size: 89.63 kB - rh-ruby27-rubygem-bundler-2.2.24-130.el7.noarch.rpm
MD5: d7717e5d73fe406b38b164105c71bd97
SHA-256: 5012902e0fa5fda02d18ad32b075e4aee0fd2b38449de2ba39064f917a7605ec
Size: 440.40 kB - rh-ruby27-rubygem-did_you_mean-1.4.0-130.el7.noarch.rpm
MD5: c91c921789b670632f45446f58778790
SHA-256: 76f92e9cf37087cdbeb9f022d6a151b0f12cca7735ef9ec45eed93b9b2571c19
Size: 61.06 kB - rh-ruby27-rubygem-io-console-0.5.6-130.el7.x86_64.rpm
MD5: c09e9c934f4844bfd617e747ee100db8
SHA-256: 589081b4ef8f944f980893db99c1795a4d854d1585d871853725818772fdd45f
Size: 61.78 kB - rh-ruby27-rubygem-irb-1.2.6-130.el7.noarch.rpm
MD5: 553ed2ab2943ea834a3fabf8139033e5
SHA-256: 81c8ce417b50dc89c8f75a7fd08c077518ba4b49dfa897d898c86fb8e40b629f
Size: 102.12 kB - rh-ruby27-rubygem-json-2.3.0-130.el7.x86_64.rpm
MD5: c959500ca1c82b0cd9084da6d870f778
SHA-256: f5f678d71df83059d6850d056851a951d77d526783df5de83e38ef58e3c62541
Size: 82.94 kB - rh-ruby27-rubygem-minitest-5.13.0-130.el7.noarch.rpm
MD5: f19f9d3e2e879ec26e7f01b896a7d648
SHA-256: 08fca26a362b0b09ab330de2ba154730aeb3a60e3338c669ac1def623730e52d
Size: 122.35 kB - rh-ruby27-rubygem-net-telnet-0.2.0-130.el7.noarch.rpm
MD5: c2ec07bb0bafecd27954e1f3188c4cad
SHA-256: e1ceb53e74c69ce7d30b8700a20da4fc5e59194446c0288e66e903f2b9602387
Size: 63.29 kB - rh-ruby27-rubygem-openssl-2.1.2-130.el7.x86_64.rpm
MD5: 884c33a9b6a46d17bf12d548b35dbecd
SHA-256: c21e30b59d19ec63c7f336a4ffc8b140827bd88aa4adc5cc883c610a8cebc323
Size: 179.15 kB - rh-ruby27-rubygem-power_assert-1.1.7-130.el7.noarch.rpm
MD5: cf8fcc49d0dd9a587e0d839fea74c9ea
SHA-256: 9c9f0129325d0ef061852ca53833e2be799122f8201bd81ecd8011926735add9
Size: 62.77 kB - rh-ruby27-rubygem-psych-3.1.0-130.el7.x86_64.rpm
MD5: 7653fbbc8608593ec40fc4afa6c48fc2
SHA-256: 8bbca52761372c4c8562f1bbc3937bc238819f3e93c6ff6dd9358e0013b78c0e
Size: 88.00 kB - rh-ruby27-rubygem-racc-1.4.16-130.el7.x86_64.rpm
MD5: 7e68f89d2c37736fbc976a4184b13d1d
SHA-256: 18bfeb7cc133f0e6dae67bb478bffb873f3746849efaa13e9a551b4702f954c9
Size: 93.77 kB - rh-ruby27-rubygem-rake-13.0.1-130.el7.noarch.rpm
MD5: 8ba8e203671cb905b9098a3a9d71c8be
SHA-256: 90487df7e44810bf836deefccf4a26254a4d64e07ebb9acf8290fc93b4ee015f
Size: 134.96 kB - rh-ruby27-rubygem-rdoc-6.2.1.1-130.el7.noarch.rpm
MD5: 69cafcb3189d8fda640fe6919c141208
SHA-256: d47deaa925aa898169d9b9a9613b9b392e0a4919409c9d222c8fe9dbb06123b9
Size: 448.20 kB - rh-ruby27-rubygems-3.1.6-130.el7.noarch.rpm
MD5: 6f03b1e77a91d3151ad6c14dedc8a2e3
SHA-256: c025ecdca16555fa86503f98b8e01f616e44c3cfa079cf74e4e64a84ded256e8
Size: 314.21 kB - rh-ruby27-rubygems-devel-3.1.6-130.el7.noarch.rpm
MD5: d8f9a39e70e3ca291ab6d4088406af9b
SHA-256: ae4031e69948180be09980df76bb653ceaee3a27e9e27ea4219613629223dc76
Size: 50.57 kB - rh-ruby27-rubygem-test-unit-3.3.4-130.el7.noarch.rpm
MD5: 0e0f131435b53a03ada43b2ec5a0b9f9
SHA-256: 6140ad13dff460d26b4ded0e0c41f741a473a4097c5ea09f02ca507d20f3c1e1
Size: 180.33 kB - rh-ruby27-rubygem-xmlrpc-0.3.0-130.el7.noarch.rpm
MD5: ce73c56f5756a1d60f7ecbe754966cdf
SHA-256: bc514b50f9722a427b7dd3455410a1791a2ed8ff489e42399536352c6cdbc1ea
Size: 74.84 kB - rh-ruby27-ruby-libs-2.7.4-130.el7.x86_64.rpm
MD5: 6a42fce3b7936460592dafffadaad344
SHA-256: 3ac8961e9177c4cf7893b9e47dc42a1f2cd2eda0d603c0b20b6cc93f009996eb
Size: 3.04 MB