ruby:2.6 security update
エラータID: AXSA:2022-3073:01
以下項目について対処しました。
[Security Fix]
- Bundler には最も高い gem のバージョン番号に基づいて依存関係のソースを選択する
問題があり、この問題により、たとえ意図した選択がアプリケーションによって
明示的に依存されている別のプライベートなgemの依存関係にあるプライベ ートな
gem であったとしても、パブリックなソース上で発見された不正な gem が選択される
脆弱性があります。 (CVE-2020-36327)
- RDoc には、ファイル名が "|" から始まり tags で終わるファイルを介して任意のコードが
実行される脆弱性があります。(CVE-2021-31799)
- Ruby の Net::FTP には、悪意のある FTP サーバーが PASV レスポンス を使って欺くことで
指定された IP アドレスとポートに接続しなおす問題があり、秘密で公開されていない
サービスに関する情報が抽出される脆弱性があります。(CVE-2021-31810)
- Ruby の Net::IMAP には StartTLS が不明なレスポンスで失敗したときに例外を上げない
問題があり、中間者攻撃を仕掛けようとしている攻撃者がクライアントとレジストリとの間
というネットワークポジションを利用して StartTLS コマンドをブロックし、TLS による保護を
バイパスする、いわゆる "StartTLS ストリッピング攻撃"を受ける脆弱性があります。
(CVE-2021-32066)
- Ruby の date gem の Data.parse には巧妙に細工された日付文字列を解析する際に、
正規表現によりサービス拒否状態に陥る脆弱性があります。(CVE-2021-41817)
- Ruby の CGI::Cookie.parse メソッドには cookie 名のセキュリティプレフィックスを
誤って処理する問題があり、攻撃者が Cookie 名のセキュリティプレフィックスを偽装し、
アプリケーションを欺く脆弱性があります。(CVE-2021-41819)
Modularity name: ruby
Stream name: 2.6
パッケージをアップデートしてください。
Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product.
In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions).
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.
CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby.
N/A
SRPMS
- rubygem-abrt-0.3.0-4.module+el8+1398+5d23a560.src.rpm
MD5: afa7f88f0174249f9bac90cae10b5ce7
SHA-256: 4fd8fcf25396fd6ce3ac9266b2bb1d1d07a458b192e908ddf83cd4904859f3d3
Size: 16.03 kB - rubygem-bson-4.5.0-1.module+el8+1398+5d23a560.src.rpm
MD5: 83fbad75ca3306cd2d33d7302ee96b9a
SHA-256: 0f8dcbb06d0f5376c2926c4e0ca70610c5e9b0cc1409bff34e2e373a5123a268
Size: 92.83 kB - rubygem-mongo-2.8.0-1.module+el8+1398+5d23a560.src.rpm
MD5: 2ed85c3f4f833d2cb53e4c863713b61d
SHA-256: f38551eb4b75b51ede33c66c4dc1c309663bf4e749373debd1d82b3d6576dbf7
Size: 509.32 kB - rubygem-mysql2-0.5.2-1.module+el8+1398+5d23a560.src.rpm
MD5: 7fa0ca63590f9747f7bf43b8ed0a2a17
SHA-256: db6b321940838b37191ac365358f0ac3de4c85ccbca29251e771dfc34ff00f7b
Size: 107.02 kB - rubygem-pg-1.1.4-1.module+el8+1398+5d23a560.src.rpm
MD5: 87c62c187b81dd938bf8c0fbb1c40228
SHA-256: fa9497affe15819f1be3f5d110e939f5b82c02090fafa228ae8a8eaae20a92f5
Size: 237.23 kB - ruby-2.6.9-108.module+el8+1398+5d23a560.src.rpm
MD5: 7f5e983170cd9dea87c1d3f59268f34d
SHA-256: 2b83ba6af7369f7b68b5f785b70b1b85c60f92feb8a824d72ca225568a463438
Size: 11.17 MB
Asianux Server 8 for x86_64
- rubygem-abrt-0.3.0-4.module+el8+1398+5d23a560.noarch.rpm
MD5: 6b763d5280c219fe2c85aa86374b6b4a
SHA-256: 47b979f3cf1c4686a4c888ec64abd3d7d82f1b333ae8644bfc2095b08d9912ee
Size: 12.48 kB - rubygem-abrt-doc-0.3.0-4.module+el8+1398+5d23a560.noarch.rpm
MD5: 8aa0592482533230f72ea8a2e5b95b3f
SHA-256: b7ef74f5662d92b35f90bdbda784fd3d5f08635757655c2aba14e759c827c6a0
Size: 197.99 kB - rubygem-bson-4.5.0-1.module+el8+1398+5d23a560.x86_64.rpm
MD5: dc84714084038aa21f483563505c1ae0
SHA-256: cc55abb77d72c62accbdbb3c8843b4c4ef4f233a4e86b4f0160d35daa832e090
Size: 54.92 kB - rubygem-bson-debugsource-4.5.0-1.module+el8+1398+5d23a560.x86_64.rpm
MD5: 72b4ea881646ac4c8b2798ca1fe6d0a7
SHA-256: 4c4dbaa3306f9103f8cafd0e277d7e2241f2776bb6890300b228384cf5bd6759
Size: 20.33 kB - rubygem-bson-doc-4.5.0-1.module+el8+1398+5d23a560.noarch.rpm
MD5: 8efd464108e94729561c6eec40b77c09
SHA-256: 8921243254049e315c2d6ac36441ce85f2c30c862cc0c18602970106481f3e90
Size: 378.71 kB - rubygem-mongo-2.8.0-1.module+el8+1398+5d23a560.noarch.rpm
MD5: d2bed2e78744aff58a5e0d7778342a59
SHA-256: fe15698897ecd25cc4e181679c9e371e06f116a61067016939b338741048cf40
Size: 262.16 kB - rubygem-mongo-doc-2.8.0-1.module+el8+1398+5d23a560.noarch.rpm
MD5: a04343cc78cc75eaeed1621334f34efd
SHA-256: f22e9bdd1b4dea95b4a813098724da440becb8711ea43c69ce233a492e1fda78
Size: 1.42 MB - rubygem-mysql2-0.5.2-1.module+el8+1398+5d23a560.x86_64.rpm
MD5: 1f34c18b4ecbdfd558b4a1334aaae2b9
SHA-256: 151f1ac1c0cd51a2f6f26688df4d66e6ca8d44ffa1dce6cb9e2d5f5ce5ff4f6a
Size: 45.73 kB - rubygem-mysql2-debugsource-0.5.2-1.module+el8+1398+5d23a560.x86_64.rpm
MD5: 08f85bb2c42c1ecca00e45a8ac0c0859
SHA-256: 343213f0d44b74fb76cbd9964c5d0580219b30b88d100810fef7fe9f6516cced
Size: 36.31 kB - rubygem-mysql2-doc-0.5.2-1.module+el8+1398+5d23a560.noarch.rpm
MD5: daaa5a709bbf54b341b378bdb6c66516
SHA-256: c177d9ec6d88fd2ae7d4c6984545973e953f13d84119f9e2251add95b360552e
Size: 274.23 kB - rubygem-pg-1.1.4-1.module+el8+1398+5d23a560.x86_64.rpm
MD5: 9f6b8e62f11c6779457b04f6e7bcd748
SHA-256: dfe7db733124bdea30dfb30b397dabf3221719a37554b8f57fc2bcab1c507641
Size: 95.99 kB - rubygem-pg-debugsource-1.1.4-1.module+el8+1398+5d23a560.x86_64.rpm
MD5: f44226c046710ecbaed21889723649de
SHA-256: 36c6ff9db590f1e4f664994a841f9a5f4e3086db6df329c5b1dfa6aa6f8722ce
Size: 91.65 kB - rubygem-pg-doc-1.1.4-1.module+el8+1398+5d23a560.noarch.rpm
MD5: 3cdcfe19c4306bdd326a2afa06f23343
SHA-256: 2a538ea174f475825575096937a79ef91c6064eda84c4382ca67cb8e3ef02f88
Size: 549.99 kB - ruby-2.6.9-108.module+el8+1398+5d23a560.x86_64.rpm
MD5: 6dccdc9ded18f2d0477aaa0d6e4e80c7
SHA-256: a86a7053e1c7836166163b24afcc2b4c103bef6b12f27c145dfb88bde7fd8689
Size: 86.27 kB - ruby-debugsource-2.6.9-108.module+el8+1398+5d23a560.x86_64.rpm
MD5: af440185b4ef7f31e491a343b059b6c7
SHA-256: d9dbf9e5581b1769a7f785dfb143106728c10970f3ce230f20a68df8ef22c286
Size: 3.81 MB - ruby-devel-2.6.9-108.module+el8+1398+5d23a560.x86_64.rpm
MD5: fd2a4655894868295a98d49b91bba7e9
SHA-256: 1194937fea238deb430025061174cf9e82181c5c512aeb68fd49d42cc40a13f5
Size: 242.48 kB - ruby-doc-2.6.9-108.module+el8+1398+5d23a560.noarch.rpm
MD5: 7ade2d14364c1bc0277f869c8d227ea4
SHA-256: 9d5ccb0cee0a013b94ce9f2c8ddb2059b4787712c98f8c32015990299a422d97
Size: 6.02 MB - ruby-libs-2.6.9-108.module+el8+1398+5d23a560.x86_64.rpm
MD5: f03590c5d580a22e1a947db6716cfba2
SHA-256: c3d9391f5bdda8b978b99d329e85585fe4469ef0b6f95d9857d7f0b7981e7114
Size: 3.03 MB - rubygem-bigdecimal-1.4.1-108.module+el8+1398+5d23a560.x86_64.rpm
MD5: c56fa96f2d7e7de74984cc103c6a2592
SHA-256: 7f2422667f809913069c1b655de69b5f93fd62425cd0b1caa8f837c3a72fcaa5
Size: 99.84 kB - rubygem-bundler-1.17.2-108.module+el8+1398+5d23a560.noarch.rpm
MD5: 3b1602744536ce2b35d9b736ff951d47
SHA-256: 0d3e38128afd7d93438b125e01856e8a668e3693347fa6a19f6139c8ec30550b
Size: 354.79 kB - rubygem-did_you_mean-1.3.0-108.module+el8+1398+5d23a560.noarch.rpm
MD5: b6e58d9d0998e0d2e4f2c427bd76c340
SHA-256: ed6c8256c6c253e7d76c73129b295ce16a547aaba4ee3751ead71328bb4008c5
Size: 81.49 kB - rubygem-io-console-0.4.7-108.module+el8+1398+5d23a560.x86_64.rpm
MD5: c9134e3af1fe74991d2a37f6b356c61d
SHA-256: 1fb2ad81b4897fd0e7c80c983a0fde5388a061644411341f9a6f141e25441f74
Size: 66.25 kB - rubygem-irb-1.0.0-108.module+el8+1398+5d23a560.noarch.rpm
MD5: 3e19fd29bab92f4f2a6abe6d08c8f3d2
SHA-256: c416f6d370b8de0d033d7f06f5032d1285affa4ce06f779cc3627c53c5b08e7a
Size: 110.24 kB - rubygem-json-2.1.0-108.module+el8+1398+5d23a560.x86_64.rpm
MD5: 6691036dcc6fb9053c138fa426e8147b
SHA-256: bc26d9c0c03387d2a1bed5b764490b1bbc01cee8cf6d4a22c3aa62320545a87f
Size: 89.61 kB - rubygem-minitest-5.11.3-108.module+el8+1398+5d23a560.noarch.rpm
MD5: 366028abd8df5d022b2dc24d3cb4cb53
SHA-256: af8f014b9b0342d3ca9c3653fc91fe5afe5dc674e608e3c3450ff6c3c32c480c
Size: 124.51 kB - rubygem-net-telnet-0.2.0-108.module+el8+1398+5d23a560.noarch.rpm
MD5: a665a487ef266c3c0fdb628915a616fe
SHA-256: 722125d066efcfa539dcbcdb0edc128a2c33d17929d2ea7f03f50d584b76954a
Size: 69.72 kB - rubygem-openssl-2.1.2-108.module+el8+1398+5d23a560.x86_64.rpm
MD5: eafc22811ad34c9b092669f70b5f6dfc
SHA-256: b9ceef9519e89c83e41b58f1868c5ff876e40293fe3f8eec245ab7872adba66d
Size: 188.88 kB - rubygem-power_assert-1.1.3-108.module+el8+1398+5d23a560.noarch.rpm
MD5: 9f9bb1617ee51deb8b80a1b399e7d37b
SHA-256: 1d8a912d5ea27e38e8127af8d0f6bf30263dec8b86e75258d24e9bf585c2b3b2
Size: 69.01 kB - rubygem-psych-3.1.0-108.module+el8+1398+5d23a560.x86_64.rpm
MD5: a75c11dbfa7cb4cb4a2e5a92ba236703
SHA-256: d64ad0d7cb0d6b05dcae7c82f2ce0fce8cec49165e984e08697281c5eaab57bd
Size: 95.18 kB - rubygem-rake-12.3.3-108.module+el8+1398+5d23a560.noarch.rpm
MD5: 573b56e79a5f103802a282f0766af75e
SHA-256: 6931afd7e1444c0c82e4ac2cfe7005a199f3c6c74c9cb59e54a6b4ba3000884a
Size: 140.70 kB - rubygem-rdoc-6.1.2.1-108.module+el8+1398+5d23a560.noarch.rpm
MD5: 946f916a24d1903bb6814ae7b7b676d4
SHA-256: 8d6dd83dc8257d151a7c0c42db999d5004e86c5d6831ed58229f405db1801e31
Size: 455.19 kB - rubygem-test-unit-3.2.9-108.module+el8+1398+5d23a560.noarch.rpm
MD5: 641c82b0137eda6a442df80f09645bc8
SHA-256: bd676ddb7b51fce3544ee9c20223121def282d0c79b680e5e89cbf05cff56b88
Size: 183.74 kB - rubygem-xmlrpc-0.3.0-108.module+el8+1398+5d23a560.noarch.rpm
MD5: d7ce6912325a1c81b8b4bee2b3d2a134
SHA-256: d1c046a71c6782f863354444d9025297f9be721242b570cd730b1415261470e5
Size: 81.22 kB - rubygems-3.0.3.1-108.module+el8+1398+5d23a560.noarch.rpm
MD5: f65ab44c39363017db89409699983f53
SHA-256: c49cd9164b3dc573c33f28f715fef589ae1f908276b632148dcbfbb0cd8453b4
Size: 314.41 kB - rubygems-devel-3.0.3.1-108.module+el8+1398+5d23a560.noarch.rpm
MD5: 43e1fc82a455a8c19dbc5cae0415426f
SHA-256: dc640e6dde1d0aad83aa337e637bf968ea361ef5574b188bb9baea520193e52c
Size: 59.61 kB - ruby-2.6.9-108.module+el8+1398+5d23a560.i686.rpm
MD5: b8f3b05f32be0bc96f098bd79db337e3
SHA-256: e98c8a59561fc8995c699ca26dd3eb32ca148aec1f2464a4b55b451de0541732
Size: 86.37 kB - ruby-debugsource-2.6.9-108.module+el8+1398+5d23a560.i686.rpm
MD5: 4e1bb98b3b76f0b3f1dd118d04bdea2b
SHA-256: 5c7fcb102c05d492e9850b834276932cfa5be19e54a2a16086711d78ee0f5795
Size: 3.81 MB - ruby-devel-2.6.9-108.module+el8+1398+5d23a560.i686.rpm
MD5: 65e5f304aa83cb99916c0efc1356811c
SHA-256: 42d5983a6540ede8873ddadf497f5f81dd040c7544674318e8e72a7dc440210c
Size: 242.06 kB - ruby-libs-2.6.9-108.module+el8+1398+5d23a560.i686.rpm
MD5: 730695ad8c863d12d2b422ab41d7f540
SHA-256: c16d0669f696580f6382dad5c19d27443407bd571e44e5afcf4a142ed1974fca
Size: 3.14 MB - rubygem-bigdecimal-1.4.1-108.module+el8+1398+5d23a560.i686.rpm
MD5: 60e1d9f4cd1e7e51e4b76861f9de2103
SHA-256: f54d884e77812a0b8923d09a4e7be9f8cfaec9a1c9273385b9804df74e3b8e9e
Size: 103.03 kB - rubygem-io-console-0.4.7-108.module+el8+1398+5d23a560.i686.rpm
MD5: 84c2a3ba8e70bebdb2df2a6f4f430b6a
SHA-256: ba2b3051d05ce11979bfd20dc91f232c8ea31f6d1b275ff9a324e799afecef3d
Size: 67.04 kB - rubygem-json-2.1.0-108.module+el8+1398+5d23a560.i686.rpm
MD5: 2121ac4030d0a51a4f8152dfa0e9b2e5
SHA-256: 867bdda12d7518c15b7de3b9a89adc19fb5db7907edb4c15852b3c32c4199271
Size: 90.98 kB - rubygem-openssl-2.1.2-108.module+el8+1398+5d23a560.i686.rpm
MD5: 268497c664b6956b58e235639b6229d1
SHA-256: 04d4d2e288e5a71a049168e796c028e6d237d8ec35c7369d57cabdb025fc9ebe
Size: 200.80 kB - rubygem-psych-3.1.0-108.module+el8+1398+5d23a560.i686.rpm
MD5: 03bc58803fef8501f8b304519b681dff
SHA-256: a16682baa84ee2061293d41e9a016df89de9783f0c654b24981ded473f8cf0f1
Size: 96.47 kB