AXSA:2022-3091:01

リリース日: 
2022/02/28 Monday - 21:11
題名: 
rh-ruby26-ruby-2.6.9-120.el7
影響のあるチャネル: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.

The following packages have been upgraded to a later upstream version: rh-ruby26-ruby (2.6.9).

Security Fix(es):

* rubygem-bundler: Dependencies of gems with explicit source may be installed from a different source (CVE-2020-36327)
* rubygem-rdoc: Command injection vulnerability in RDoc (CVE-2021-31799)
* ruby: FTP PASV command response can cause Net::FTP to connect to arbitrary host (CVE-2021-31810)
* ruby: StartTLS stripping vulnerability in Net::IMAP (CVE-2021-32066)
* ruby: Regular expression denial of service vulnerability of Date parsing methods (CVE-2021-41817)
* ruby: Cookie prefix spoofing in CGI::Cookie.parse (CVE-2021-41819)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2020-36327
Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct to use CVE-2021-24105 for every "Dependency Confusion" issue in every product.
CVE-2021-31799
In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.
CVE-2021-31810
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions).
CVE-2021-32066
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
CVE-2021-41817
Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.
CVE-2021-41819
CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby.

解決策: 

Update packages.

追加情報: 

N/A

ダウンロード: 

SRPMS
  1. rh-ruby26-ruby-2.6.9-120.el7.src.rpm
    MD5: 6666f1b0d81d1c77f67bce0effa6e3e4
    SHA-256: 7ae865b32d02d49ae3891173bcb205cf9bb505e0f278c8e256bc551024e5bbd3
    Size: 11.16 MB

Asianux Server 7 for x86_64
  1. rh-ruby26-ruby-2.6.9-120.el7.x86_64.rpm
    MD5: 3c6711c0cc820247b75f69cda888cc7f
    SHA-256: 82616f0178e02a9019903f704902048cb6e46c3c89a5e0ccf2e383598c4d59f0
    Size: 78.37 kB
  2. rh-ruby26-ruby-devel-2.6.9-120.el7.x86_64.rpm
    MD5: c5f1aed716e4d818c86b1a29768b4655
    SHA-256: d83ee802592afb4023c8836f7f68fc4ad028a14dbb6f31402450b658e99beda0
    Size: 230.73 kB
  3. rh-ruby26-ruby-doc-2.6.9-120.el7.noarch.rpm
    MD5: 3aa4c0cfe6cb19e1310e65e50e2fea93
    SHA-256: 3c7b216f44e6bf092002e22b88b6193fd3af8e7d2cbc5e624416724baffeb400
    Size: 6.33 MB
  4. rh-ruby26-rubygem-bigdecimal-1.4.1-120.el7.x86_64.rpm
    MD5: 073f0302ad95a115fa325dbca8b89c11
    SHA-256: 85b0931534f32f8fa4f6071d6bfd56a867ecaf22fbd89cd2542442bf9bf4d4cb
    Size: 91.34 kB
  5. rh-ruby26-rubygem-bundler-1.17.2-120.el7.noarch.rpm
    MD5: a6a66877beed14c6427897dc671541d0
    SHA-256: a03f8da7eb2bd09aef792aaefe68c3f156dc2a7b13cd5d1d49e71d0bb041e9c8
    Size: 351.27 kB
  6. rh-ruby26-rubygem-did_you_mean-1.3.0-120.el7.noarch.rpm
    MD5: 869d99f086a51f1c866dddb8992cf75c
    SHA-256: 746ee70f661b64b159cb0b4bcd8893d3ee5185c16f8d416715ced08ce2be3188
    Size: 76.04 kB
  7. rh-ruby26-rubygem-io-console-0.4.7-120.el7.x86_64.rpm
    MD5: 84d883c85864659845ecc4dc5f44222e
    SHA-256: 0ecfce76c97fa949b6e97a133cb226d1d8e4c691df8c78d0aca690b2f0f2d221
    Size: 58.39 kB
  8. rh-ruby26-rubygem-irb-1.0.0-120.el7.noarch.rpm
    MD5: 3707cad13ac4d0eae1c7e33161382c30
    SHA-256: 5ab3300326d07c64d6c5378360fed5002f09d224272434949fc2fe86186c98e4
    Size: 97.97 kB
  9. rh-ruby26-rubygem-json-2.1.0-120.el7.x86_64.rpm
    MD5: 7560fd76c6d2dbe100c8849ddf5ac3bf
    SHA-256: 72c059cd546c8c85391ae5a554ca7e93fff80e8f0f9c079592a1f57913d5053d
    Size: 81.83 kB
  10. rh-ruby26-rubygem-minitest-5.11.3-120.el7.noarch.rpm
    MD5: f5e38c668fd160ceba4b2df2618d5369
    SHA-256: e3509bd28d65c24070dc1cfb0075f06a9e098982d0313dc25eb5ce7dcea5913e
    Size: 117.96 kB
  11. rh-ruby26-rubygem-net-telnet-0.2.0-120.el7.noarch.rpm
    MD5: 28fe341c49f358bc4924462b4b6b5577
    SHA-256: c145386af76de4c6df0394802cfe2410c56f8525415590bf439061e15d51a95e
    Size: 62.85 kB
  12. rh-ruby26-rubygem-openssl-2.1.2-120.el7.x86_64.rpm
    MD5: dabc1310ec3ac457916b2fcc22c0eed1
    SHA-256: f67c1a963e2826b4ea4b059ffebbc2cefee1d1b3d74b3681bd804bb3b1b0f0de
    Size: 178.46 kB
  13. rh-ruby26-rubygem-power_assert-1.1.3-120.el7.noarch.rpm
    MD5: 0434b02a2d7e53a6a9a443b76a7d17f8
    SHA-256: 8ce9113b36329b8ea392e7243ddcc43a9bde1fca4be2bfd79823923a1bebf5d2
    Size: 62.25 kB
  14. rh-ruby26-rubygem-psych-3.1.0-120.el7.x86_64.rpm
    MD5: a098c3373a3e1940d0ed14c0c110959a
    SHA-256: dc485833ba12d8cabece8d3835d0683c7bafb9c14ffde73947959b9ca67ba077
    Size: 87.66 kB
  15. rh-ruby26-rubygem-rake-12.3.3-120.el7.noarch.rpm
    MD5: 6a0a2d8901c844a11cbd793090949cc1
    SHA-256: 1928bb23334e05c5a35e5775892717f51cd2c793ba68f2a5133309821273d472
    Size: 134.46 kB
  16. rh-ruby26-rubygem-rdoc-6.1.2.1-120.el7.noarch.rpm
    MD5: 2459e114fa3c2ebb350132fbcbb3d452
    SHA-256: 8dcb347edf12aba6d89a53ad1fafac25146ae81c09c781ce55e6c4d3100d0f82
    Size: 450.24 kB
  17. rh-ruby26-rubygems-3.0.3.1-120.el7.noarch.rpm
    MD5: 58645adc28af9368ae29f802ed2acf50
    SHA-256: e4a596fdd9ea4e7e447e6e52dfc0a26588b2cc62940655d969d175e1a48f37d5
    Size: 310.29 kB
  18. rh-ruby26-rubygems-devel-3.0.3.1-120.el7.noarch.rpm
    MD5: 276e492b643575883cd7434c9e3d98d7
    SHA-256: 22b3bb144c3ca2a2eff36e37d5b7ee9343c85c4d3baf50a935c77eddbbcd5a60
    Size: 50.27 kB
  19. rh-ruby26-rubygem-test-unit-3.2.9-120.el7.noarch.rpm
    MD5: 85e31224c9686fe40ad5d4792ff19173
    SHA-256: 4fb4f095b5f0f89d6764acb59423969d4bff4ccf7a8c4862cff0d0276a7b2924
    Size: 178.92 kB
  20. rh-ruby26-rubygem-xmlrpc-0.3.0-120.el7.noarch.rpm
    MD5: 7d2a02576744b0dd795dd7330d741490
    SHA-256: f6a3aecfa154c24bca1db285f2639b122976cf7e26079ab98940c637366ad02c
    Size: 74.41 kB
  21. rh-ruby26-ruby-libs-2.6.9-120.el7.x86_64.rpm
    MD5: dd5a78e8b91e0d66ae5f573113555db0
    SHA-256: ecbccf770bb150cee6c3a30f446d3492a1d303c4e2728ced431650fc4d612e85
    Size: 2.95 MB
Copyright 2007-2022 Cybertrust Japan Co., Ltd. All rights reserved.