Debian 9: Critical Security Update DLA-2780-1 for Ruby 2.3 Released
debian lts
October 13, 2021
Multiple vulnerabilites in ruby2.3, interpreter of object-oriented scripting language Ruby, were discovered
Topics Covered
Summary
CVE-2021-31799
In RDoc 3.11 through 6.x before 6.3.1, as distributed with
Ruby through 2.3.3, it is possible to execute arbitrary
code via | and tags in a filename.
CVE-2021-31810
An issue was discovered in Ruby through 2.3.3. A malicious
FTP server can use the PASV response to trick Net::FTP into
connecting back to a given IP address and port. This
potentially makes curl extract information about services
that are otherwise private and not disclosed (e.g., the
attacker can conduct port scans and service banner extractions).
CVE-2021-32066
An issue was discovered in Ruby through 2.3.3. Net::IMAP does
not raise an exception when StartTLS fails with an an unknown
response, which might allow man-in-the-middle attackers to
bypass the TLS protections by leveraging a network position
between the client and the registry to block the StartTLS
command, aka a "StartTLS stripping attack."
For Debian 9 stretch, these problems have been fixed in version
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: ruby2.3
Version: 2.3.3-1+deb9u10
CVE ID: CVE-2021-31799 CVE-2021-31810 CVE-2021-32066
Debian Bug: 990815
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!