rh-ruby30-ruby-3.0.2-148.el7
エラータID: AXSA:2021-2500:01
Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.
The following packages have been upgraded to a later upstream version: rh-ruby30-ruby (3.0.2).
Security Fix(es):
* rubygem-bundler: Dependencies of gems with explicit source may be installed from a different source (CVE-2020-36327)
* rubygem-rdoc: Command injection vulnerability in RDoc (CVE-2021-31799)
* ruby: FTP PASV command response can cause Net::FTP to connect to arbitrary host (CVE-2021-31810)
* ruby: StartTLS stripping vulnerability in Net::IMAP (CVE-2021-32066)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2020-36327
Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product.
CVE-2021-31799
In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.
CVE-2021-31810
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions).
CVE-2021-32066
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
Update packages.
Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product.
In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions).
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
N/A
SRPMS
- rh-ruby30-ruby-3.0.2-148.el7.src.rpm
MD5: f57f97526ae3646695adbabdc1ddad72
SHA-256: 26f099ec3f76d2a77e6990bd0d3b0b0e65eb92f3621bf9238e86a9dd8c79710d
Size: 14.16 MB
Asianux Server 7 for x86_64
- rh-ruby30-ruby-3.0.2-148.el7.x86_64.rpm
MD5: 725faf7dda59cf59d68c42e7530a4863
SHA-256: 39cb2929cb08de01a4abffbd735cbe9ce952654f03ebe6ff1c210e8a1bda36f6
Size: 81.97 kB - rh-ruby30-ruby-default-gems-3.0.2-148.el7.noarch.rpm
MD5: e46cfbeeeb923ca541762ae72c5a2dda
SHA-256: 9745dc848d81dbf5b85745973e4758f1eae211429c1a888a9b4351843255fce2
Size: 76.67 kB - rh-ruby30-ruby-devel-3.0.2-148.el7.x86_64.rpm
MD5: 697cb540827c94fe65c2441d02114373
SHA-256: dae44d4ba27cb237ad73b73f1475f638af6ab986761a43003cd79f1fad8accb3
Size: 321.52 kB - rh-ruby30-ruby-doc-3.0.2-148.el7.noarch.rpm
MD5: b17a47dfe884ac5a684edd3bc67ee8cc
SHA-256: 0b9efd33ac535f7347efcbad8e98fc2e2909c93b319b4e490e901ce1ba0f5ad3
Size: 5.73 MB - rh-ruby30-rubygem-bigdecimal-3.0.0-148.el7.x86_64.rpm
MD5: c41342feca9270a2fb2c2a5fa80e3d7c
SHA-256: 18f2169beddc89411760ccd04a54a0ab312a67644def3d10bd24974b143b44dd
Size: 91.84 kB - rh-ruby30-rubygem-bundler-2.2.22-148.el7.noarch.rpm
MD5: c80ba5b804dadcfa1f39edc1f5e4e520
SHA-256: ac3cadc6bd41c4f318be3e30f1a895fac7b627a5fcf567289d368761061e5397
Size: 439.85 kB - rh-ruby30-rubygem-io-console-0.5.7-148.el7.x86_64.rpm
MD5: 593fcb7ee9a5e4b832b33167174f7b0b
SHA-256: a1d4be5bb3a5a91ccc5272c6b1586f904f6ae6ebdd3e22f6240e7d5b88f92c5e
Size: 63.11 kB - rh-ruby30-rubygem-irb-1.3.5-148.el7.noarch.rpm
MD5: 90b48dc75f6b500b54244747262dee4d
SHA-256: 3d91eb8e778d380aa9a125638e0bc209a8ecadd627bc92d2fdadd3c6ccc3029b
Size: 108.68 kB - rh-ruby30-rubygem-json-2.5.1-148.el7.x86_64.rpm
MD5: 56b0a0f670163412d942aaa94a38f1f5
SHA-256: 5ad3b7ba679d1d815ae3b975fe57d7e5f33dc382ee295cdb8112a6a10b80e978
Size: 90.16 kB - rh-ruby30-rubygem-minitest-5.14.2-148.el7.noarch.rpm
MD5: 94368ac9e7ab6f4b86930a38c3e719dc
SHA-256: 92bb798776518b6b8d5d5344a52b48aec9d2857e4e79cf403ab4b999cc15290f
Size: 123.95 kB - rh-ruby30-rubygem-power_assert-1.2.0-148.el7.noarch.rpm
MD5: e951c92d0c994c5f503b97557b331491
SHA-256: a3c2861ac6a138703f45c6a3dd1478269bfd438e39008ee2e32a89b415e65d32
Size: 63.07 kB - rh-ruby30-rubygem-psych-3.3.0-148.el7.x86_64.rpm
MD5: baf15c4ddf113803835d815d49d78999
SHA-256: 7c2b7d53e01e7124e68bae171f7dd4d28131234cdf3fda1c165a862304b2e74e
Size: 89.56 kB - rh-ruby30-rubygem-rake-13.0.3-148.el7.noarch.rpm
MD5: 8822a4936e6e21e7e0b57e53646120fa
SHA-256: b84730c2796452ce9981e63cba073866546fe528d768c702c4fc9885a6b35491
Size: 134.99 kB - rh-ruby30-rubygem-rbs-1.0.4-148.el7.noarch.rpm
MD5: dd7a477cf952dfec417d6e208c1e2163
SHA-256: a09303c7a09037b5511f50c27476fe9195782f51b17ee512357ca986e5c452d6
Size: 450.54 kB - rh-ruby30-rubygem-rexml-3.2.5-148.el7.noarch.rpm
MD5: 54f30ccb67181417c139640de940795a
SHA-256: eddb3592aaf083af4ffc28cc5f3497292f2638a4eb3cc5a6360c02016693d8a6
Size: 141.37 kB - rh-ruby30-rubygem-rss-0.2.9-148.el7.noarch.rpm
MD5: 945abc93a11c243121211d5672f4690f
SHA-256: b53b95b315b3ed1a9a8b51d68d966f512f7cba94fa8d045f5a1f63a9df97ad83
Size: 152.82 kB - rh-ruby30-rubygems-3.2.22-148.el7.noarch.rpm
MD5: 381b72b4da119a0175bb859c3ffbc6c7
SHA-256: 66d5faa9d9b8efd48168ee3110d6155852cbf77902ae314a4a7444cd897043da
Size: 312.59 kB - rh-ruby30-rubygems-devel-3.2.22-148.el7.noarch.rpm
MD5: 27c53952cd54e4d50a7e00433716fb2d
SHA-256: d3d2fe52ac71a3732ccb2be657d6ae4e9894a0ac7a3f18b2018d8b93bb14e786
Size: 51.17 kB - rh-ruby30-rubygem-test-unit-3.3.7-148.el7.noarch.rpm
MD5: 0f7443fc26b9133d1562dd9132cc80bd
SHA-256: d0d2709457e17c40d1b4f4a82eb6f65c8404d09c4938e785d31cc5508ee8de2f
Size: 171.98 kB - rh-ruby30-rubygem-typeprof-0.12.0-148.el7.noarch.rpm
MD5: ca3ff8acc61fde6e3233a655bc6b1f35
SHA-256: 3e6968683056451cd23c8b60901b45d19e1f2a4571d8c19f1f8066fe324894a1
Size: 571.18 kB - rh-ruby30-ruby-libs-3.0.2-148.el7.x86_64.rpm
MD5: 2e6a9a6cd6491807e516d1eee734dda4
SHA-256: f17943e5eb447791a820ca89c81ab0c659045a55b4d9828a6e40ce49392c90c7
Size: 3.54 MB