ruby:2.5 security update
エラータID: AXSA:2024-8560:01
リリース日:
2024/08/27 Tuesday - 19:13
題名:
ruby:2.5 security update
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- Ruby の URI コンポーネントには、特定の文字を含む無効
な URL を処理する際の不具合に起因して CPU リソースを
多く消費してしまう問題があるため、リモートの攻撃者に
より、細工された URL の入力を介して、正規表現による
サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2023-36617)
- Ruby の StringIO の ungetbyte() メソッドおよび ungetc()
メソッドには、文字列バッファの範囲外読み取りの問題が
あるため、リモートの攻撃者により、情報の漏洩を可能
とする脆弱性が存在します。(CVE-2024-27280)
- RDoc には、.rdoc_options ファイルを YAML ファイル
として解析した際にリストアできるクラスの制限が欠落して
いるため、ローカルの攻撃者により、不正なオブジェクト
の挿入、および任意のコードの実行を可能とする脆弱性が
存在します。(CVE-2024-27281)
- Ruby の正規表現の処理には、任意のヒープ領域の
データの不正や読み取りを許容してしまう問題があるため、
ローカルの攻撃者により、細工された正規表現の入力を
介して、情報の漏洩を可能とする脆弱性が存在します。
(CVE-2024-27282)
- ruby の REXML には、大量の '<' が属性値に含まれる
ときサービス拒否状態を起こす問題があるため、リモート
の攻撃者により、巧妙に細工された信頼できないXMLを
介して、サービス拒否攻撃を可能とする脆弱性が存在
します。(CVE-2024-35176)
Modularity name: ruby
Stream name: 2.5
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-36617
A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version.
A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version.
CVE-2024-27280
A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. 3.0.3 is the main fixed version; however, for Ruby 3.0 users, a fixed version is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version is stringio 3.0.1.2.
A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. 3.0.3 is the main fixed version; however, for Ruby 3.0 users, a fixed version is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version is stringio 3.0.1.2.
CVE-2024-27281
An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1.
An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1.
CVE-2024-27282
An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1.
An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1.
CVE-2024-35176
REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs.
REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs.
追加情報:
N/A
ダウンロード:
SRPMS
- rubygem-abrt-0.3.0-4.module+el8+1791+f1ea2ab9.src.rpm
MD5: 8947d9484f604d18f10e89be45679fc4
SHA-256: 5e862522ac397df8bc0aa854459ca21319de41d044b6d9f15dd86050e217fac8
Size: 16.02 kB - rubygem-bson-4.3.0-2.module+el8+1791+f1ea2ab9.src.rpm
MD5: 879c81441e228b57d28aad3ac5f6f08f
SHA-256: fa3ce5626520c0129b93a8ea202f234fa7580b230d6716e232974f8e35b321c7
Size: 90.07 kB - rubygem-bundler-1.16.1-4.module+el8+1791+f1ea2ab9.src.rpm
MD5: 231c8dc4236e98c4cc62a24469b7fe59
SHA-256: 8503bdb5479a245bd6f9f35dc968eba221370cd579ceb0f425c105d117add31c
Size: 14.64 MB - rubygem-mongo-2.5.1-2.module+el8+1791+f1ea2ab9.src.rpm
MD5: 29724d55193307da6c5dce38558002c7
SHA-256: d4e2145b1f6ba3197bce76c8ae60ef199e481b4d016b68863582b728596797d2
Size: 338.58 kB - rubygem-mysql2-0.4.10-4.module+el8+1791+f1ea2ab9.ML.1.src.rpm
MD5: e157169c2e956b8320552d45483e4d85
SHA-256: 8d42bf382ec745978f5ba8e0f0a63c3d4a480631c22cd6a23652e500a836b05d
Size: 108.28 kB - rubygem-pg-1.0.0-3.module+el8+1791+f1ea2ab9.src.rpm
MD5: 7683bd31a11442949487a12b61c3a212
SHA-256: ed602357b55d144d93fa9f7e4d1235f37f34156e80703d73f80cc08f1d635def
Size: 218.84 kB - ruby-2.5.9-112.module+el8+1791+f1ea2ab9.src.rpm
MD5: daefce6881f521940eadf22d4cf36269
SHA-256: e6bac2bd3da08c8a46e3b5e5939eeeb03ca3fbff6cbc55e1163225b31b856e14
Size: 10.97 MB
Asianux Server 8 for x86_64
- ruby-2.5.9-112.module+el8+1791+f1ea2ab9.i686.rpm
MD5: 6249f8bfb0e29a55af3b2966cfada3a3
SHA-256: 70d53a0f176d4549ee01da8b55c7c7a79433241a114b31f240ee3268581c649d
Size: 87.33 kB - ruby-2.5.9-112.module+el8+1791+f1ea2ab9.x86_64.rpm
MD5: 49f73e2fcf313f2614735a82db2a8901
SHA-256: 3f750b3f9e8f63b70ed0ca08d84bae5a1772d180e0b477361cdde1b16991abce
Size: 87.22 kB - ruby-debugsource-2.5.9-112.module+el8+1791+f1ea2ab9.i686.rpm
MD5: 02b92274c9d8154a57bfa16e22a15d06
SHA-256: 1fef857c246ec60910952914879406ae430ffe69a859507d84da6ede498b2d8a
Size: 3.68 MB - ruby-debugsource-2.5.9-112.module+el8+1791+f1ea2ab9.x86_64.rpm
MD5: d782a5a8ee5534ba58db52ccc8171812
SHA-256: 686f922bfd104057c821bc802d9605bcb6faaa2c46606edf5f4fe88e9785fb3d
Size: 3.68 MB - ruby-devel-2.5.9-112.module+el8+1791+f1ea2ab9.i686.rpm
MD5: 5a0d565d3916da02c38119c43cb39fb0
SHA-256: 6c6f0cc68e2eaf1c74458998d5bb1f9c6424caebcb53899b25667a7d28ab9865
Size: 126.65 kB - ruby-devel-2.5.9-112.module+el8+1791+f1ea2ab9.x86_64.rpm
MD5: eccc1cf9aa5f2b920345ab9379a19df5
SHA-256: c28ec2bf70f2271d5f8f6ef392763246cdedf13da808065a105d22f9eaffee63
Size: 126.63 kB - ruby-doc-2.5.9-112.module+el8+1791+f1ea2ab9.noarch.rpm
MD5: 6fb1231225f8b355c7f53c5642526113
SHA-256: 1b63b4140de641ccb3e37a1f667e989f7e55ac6a8278526828cd784f84118227
Size: 5.34 MB - rubygem-abrt-0.3.0-4.module+el8+1791+f1ea2ab9.noarch.rpm
MD5: a305965a8bc6bf2e4278ceb1f62d6030
SHA-256: a580b749a7d10a6a8bc9a5d412999283a2b4f741e3c4f1980e5b8054179e150e
Size: 12.49 kB - rubygem-abrt-doc-0.3.0-4.module+el8+1791+f1ea2ab9.noarch.rpm
MD5: 50f3f69dd72b2b64c6f16afddcd78a07
SHA-256: f994f2a66db454cd41998e05047d76e5133725678979d5b7ebb9a752eb596616
Size: 198.15 kB - rubygem-bigdecimal-1.3.4-112.module+el8+1791+f1ea2ab9.i686.rpm
MD5: 100d3f278b30b8c33eb9225dec912880
SHA-256: f8cd1e4f014568af12dd31a9eb8d028697a3275f8b7f4d739fe68fcb471a4d0a
Size: 100.72 kB - rubygem-bigdecimal-1.3.4-112.module+el8+1791+f1ea2ab9.x86_64.rpm
MD5: d4629b673ed7c7e23c0893242a67231a
SHA-256: a3e78462b84bcf760825b69c830f8bd1d590643efe7b743bd9164cce07287301
Size: 97.89 kB - rubygem-bson-4.3.0-2.module+el8+1791+f1ea2ab9.x86_64.rpm
MD5: 8c7ee7bc4e2538b126221aee95b30485
SHA-256: 2138abca113b811487d1d09ea1071bc907b064f52b33235e0cf0bcc86d32c6c2
Size: 53.38 kB - rubygem-bson-debugsource-4.3.0-2.module+el8+1791+f1ea2ab9.x86_64.rpm
MD5: d506bfaa625e5248eeff2af657528ee7
SHA-256: cb04421b7c127b4b94278dd5dfe4e5be90585e05ddf1c6fec296695331011b85
Size: 19.73 kB - rubygem-bson-doc-4.3.0-2.module+el8+1791+f1ea2ab9.noarch.rpm
MD5: 3cce7757879e3e8f3fb90da8c2cb4c6c
SHA-256: a012a88b247ee0d76dd40fdfdfb611ade35860da5e07e013ffc7b97749de48bb
Size: 373.78 kB - rubygem-bundler-1.16.1-4.module+el8+1791+f1ea2ab9.noarch.rpm
MD5: 18796eb732d685b0e23bbdeaf39239a8
SHA-256: 6e1d1262379e230aff109e81d5cfeaeffaf009fbe187f5bcf3875cba566c9ac9
Size: 351.83 kB - rubygem-bundler-doc-1.16.1-4.module+el8+1791+f1ea2ab9.noarch.rpm
MD5: a7c144f8f516fcc5689ac3ec39120f04
SHA-256: df085886327273ad5682e4591f4378a5513720435080f129a21e1b3f6e1d2c35
Size: 1.23 MB - rubygem-did_you_mean-1.2.0-112.module+el8+1791+f1ea2ab9.noarch.rpm
MD5: a787fd63c77cfd70cb58e640aad5f4e5
SHA-256: 332cc81962c40e1013fa7ea406086902d5632f6fc23b046da619e1202e637f18
Size: 81.85 kB - rubygem-io-console-0.4.6-112.module+el8+1791+f1ea2ab9.i686.rpm
MD5: d395e10d5832aeb4c0de330c0edaaa1b
SHA-256: f4d27ae83797280978836b626c2be4e923624e8cfdf153495b7fe5d0fe79cbd0
Size: 68.26 kB - rubygem-io-console-0.4.6-112.module+el8+1791+f1ea2ab9.x86_64.rpm
MD5: c5d7b904aa870c098960715621ed63b7
SHA-256: e93ae20e4de97851355bac2c2979bc5dc87a84f6d50621a6db695b13a984f2bb
Size: 67.31 kB - rubygem-json-2.1.0-112.module+el8+1791+f1ea2ab9.i686.rpm
MD5: fdbad9951f7c76747d6c445a68fb560f
SHA-256: f6cf425cff7dcdc59207e8dc43ceb7863b67f07d239344198266b2b65d4b39e2
Size: 92.44 kB - rubygem-json-2.1.0-112.module+el8+1791+f1ea2ab9.x86_64.rpm
MD5: 3141ce3e87dd43c1c31bf78dd42208e1
SHA-256: 031fc7cd129a3134313167e0a47d0d9c3f33f94557f2642195e4523bb61f3e23
Size: 91.09 kB - rubygem-minitest-5.10.3-112.module+el8+1791+f1ea2ab9.noarch.rpm
MD5: 31624a94fb3ec3174851e72cadcc384c
SHA-256: 3f77bcc0246b66bbf23080f6f33739a076f7417902025a8d5fee6a29780d095b
Size: 123.15 kB - rubygem-mongo-2.5.1-2.module+el8+1791+f1ea2ab9.noarch.rpm
MD5: a899f66489a324178a1feddcd4304db9
SHA-256: 6ffe609676d73a9c3528e6f1b294f077ecaecc245374840cd3117365902275ee
Size: 184.41 kB - rubygem-mongo-doc-2.5.1-2.module+el8+1791+f1ea2ab9.noarch.rpm
MD5: 32d647c00b125b697cfb6335ce13406c
SHA-256: 1654f480824562c1d6eeaab91434b86f209acb4006c0a26e226a615beeaab596
Size: 1.20 MB - rubygem-mysql2-0.4.10-4.module+el8+1791+f1ea2ab9.ML.1.x86_64.rpm
MD5: a9e5f55d6b14e2de19a3612c90c24547
SHA-256: 2f4d1b207645eaf9696b696a501fd52312945462d04196f8587c7aafc98a1484
Size: 44.30 kB - rubygem-mysql2-debugsource-0.4.10-4.module+el8+1791+f1ea2ab9.ML.1.x86_64.rpm
MD5: 1fd55d9a711b89ac77a68e4db4731359
SHA-256: 34db644730430999007f95a3cbd761a8030815bf15ededc3d81987fe24a14ee0
Size: 36.06 kB - rubygem-mysql2-doc-0.4.10-4.module+el8+1791+f1ea2ab9.ML.1.noarch.rpm
MD5: ebeba6a66e21f4f125ff246abd6b5367
SHA-256: f812c86c2ea77275c7770bba65c2ea62311a35769be7f31849569ab038744699
Size: 275.42 kB - rubygem-net-telnet-0.1.1-112.module+el8+1791+f1ea2ab9.noarch.rpm
MD5: bbe9a59c9b0a0c9f2de5700d65b90dcc
SHA-256: 59e817abaa9a11e8ca7eee3590347a05ece6a21b3554fb11c81617d072d8bdad
Size: 70.86 kB - rubygem-openssl-2.1.2-112.module+el8+1791+f1ea2ab9.i686.rpm
MD5: 62893a6685a5fece499d3be22341f0b0
SHA-256: 28c27e3b78cfca1578672cd72dec6146cc25f14a941ad8479cb4a445f80e6e05
Size: 202.19 kB - rubygem-openssl-2.1.2-112.module+el8+1791+f1ea2ab9.x86_64.rpm
MD5: 5336dd4ad0edeeef7376f8193fb4e29a
SHA-256: 5e46e5b9781ede517e352aad01f1bd9b0c8ec8f483923895d9da6911e70872ab
Size: 189.96 kB - rubygem-pg-1.0.0-3.module+el8+1791+f1ea2ab9.x86_64.rpm
MD5: 21e14c827cf222f7441a70433d38cf24
SHA-256: 399039115d2e24b84c6f82350a4518b8a65a13267d9d21dde6f9b9ad7578417d
Size: 86.18 kB - rubygem-pg-debugsource-1.0.0-3.module+el8+1791+f1ea2ab9.x86_64.rpm
MD5: 40f627de8d5f91942e6ad4d8f6bfea31
SHA-256: 8ed677ffc4b1a063c2803f9fa40fbeb351368188229cc867c3fcd5696e3e6c6b
Size: 81.22 kB - rubygem-pg-doc-1.0.0-3.module+el8+1791+f1ea2ab9.noarch.rpm
MD5: ab104a3b43a21564d920829bb06b2dd4
SHA-256: 9336531fb7d05be08ab62a8918e9a329d1252291f5e660062dfb1bb4713db47b
Size: 522.83 kB - rubygem-power_assert-1.1.1-112.module+el8+1791+f1ea2ab9.noarch.rpm
MD5: bfb5a8d8b7fecb0e4946ce89a7968bcb
SHA-256: 61b2fd665a95ef6a33e0ddf291b8d9ada2ce7583432fff18cdbb9935dad1f26b
Size: 69.94 kB - rubygem-psych-3.0.2-112.module+el8+1791+f1ea2ab9.i686.rpm
MD5: 15afefd6a3fcb150f89bc79243f2b051
SHA-256: 140043bb0dc9c8bedef52b1c3c14be2f223713332dec72c90f1c2b625c11638d
Size: 97.05 kB - rubygem-psych-3.0.2-112.module+el8+1791+f1ea2ab9.x86_64.rpm
MD5: e5ce631615a14def74442fd24e94f8df
SHA-256: a144a14831f629cb48c3dc6b6ce475a73f5d89752299d721f54723002346e6fd
Size: 95.72 kB - rubygem-rake-12.3.3-112.module+el8+1791+f1ea2ab9.noarch.rpm
MD5: 6300e651f6fc8c569ebcaf4f077acfea
SHA-256: 07fbfb69857cbfc3328d8ce0f42d87a6d2c6115050441af40b3d764770cbd101
Size: 141.96 kB - rubygem-rdoc-6.0.1.1-112.module+el8+1791+f1ea2ab9.noarch.rpm
MD5: 3c41a84b62a933f3b519380730aebe0a
SHA-256: 399c0adfe295eac58df566ba8a4da521e234afc4baec9f42a41539369af5f212
Size: 456.60 kB - rubygems-2.7.6.3-112.module+el8+1791+f1ea2ab9.noarch.rpm
MD5: 37f7c83032806c45f2a0eddace625026
SHA-256: 4c9cabc13358797c889a5447beee9daba816d9c51d495dd2ece4c8f0659ee047
Size: 308.66 kB - rubygems-devel-2.7.6.3-112.module+el8+1791+f1ea2ab9.noarch.rpm
MD5: b7bf2236e7c06150d15f4d845c1c211e
SHA-256: 8119f559c2fd042a5c323c4efb48f035be56ea57486e94754572d1d194320dc1
Size: 60.75 kB - rubygem-test-unit-3.2.7-112.module+el8+1791+f1ea2ab9.noarch.rpm
MD5: f802d55af5ac8a3f8c34b08c422dd295
SHA-256: 8fc1f2e649879d6cf929d46cc879dc8a6958fa324f902a891dfe6a3bcddfaf0a
Size: 182.74 kB - rubygem-xmlrpc-0.3.0-112.module+el8+1791+f1ea2ab9.noarch.rpm
MD5: 58fe7b9786efab360ddb2b66c8583bf2
SHA-256: 2d9890430464f7e95846842ae1d56dd466698cf3722104b3f880e4818e426b37
Size: 82.43 kB - ruby-irb-2.5.9-112.module+el8+1791+f1ea2ab9.noarch.rpm
MD5: cb8943fc48879bdc5b95c4b8d79a9f56
SHA-256: 7f50e5af1b9911b11ca65e77a6ab62020cd9ba1062d90059c326394ebb45dc84
Size: 102.71 kB - ruby-libs-2.5.9-112.module+el8+1791+f1ea2ab9.i686.rpm
MD5: 4518afab0b529b5b1574dba5341575fc
SHA-256: ef8e7cbe30c2bdd73ad749f2e4c8e2355fc2ad6a24c576dc5cece5dac07caea1
Size: 3.03 MB - ruby-libs-2.5.9-112.module+el8+1791+f1ea2ab9.x86_64.rpm
MD5: 16500c052ab6abb2006a3ce3b9f3affb
SHA-256: 8b465a950d012ce1fa8df89a37f6b45acf911abd5e49f52ef501ee151e63570c
Size: 2.92 MB - rubygems-devel-2.7.6.3-112.module+el8+1791+f1ea2ab9.noarch.rpm
MD5: b7bf2236e7c06150d15f4d845c1c211e
SHA-256: 8119f559c2fd042a5c323c4efb48f035be56ea57486e94754572d1d194320dc1
Size: 60.75 kB - rubygem-test-unit-3.2.7-112.module+el8+1791+f1ea2ab9.noarch.rpm
MD5: f802d55af5ac8a3f8c34b08c422dd295
SHA-256: 8fc1f2e649879d6cf929d46cc879dc8a6958fa324f902a891dfe6a3bcddfaf0a
Size: 182.74 kB - rubygem-xmlrpc-0.3.0-112.module+el8+1791+f1ea2ab9.noarch.rpm
MD5: 58fe7b9786efab360ddb2b66c8583bf2
SHA-256: 2d9890430464f7e95846842ae1d56dd466698cf3722104b3f880e4818e426b37
Size: 82.43 kB - ruby-irb-2.5.9-112.module+el8+1791+f1ea2ab9.noarch.rpm
MD5: cb8943fc48879bdc5b95c4b8d79a9f56
SHA-256: 7f50e5af1b9911b11ca65e77a6ab62020cd9ba1062d90059c326394ebb45dc84
Size: 102.71 kB - ruby-libs-2.5.9-112.module+el8+1791+f1ea2ab9.i686.rpm
MD5: 4518afab0b529b5b1574dba5341575fc
SHA-256: ef8e7cbe30c2bdd73ad749f2e4c8e2355fc2ad6a24c576dc5cece5dac07caea1
Size: 3.03 MB - ruby-libs-2.5.9-112.module+el8+1791+f1ea2ab9.x86_64.rpm
MD5: 16500c052ab6abb2006a3ce3b9f3affb
SHA-256: 8b465a950d012ce1fa8df89a37f6b45acf911abd5e49f52ef501ee151e63570c
Size: 2.92 MB
English