- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3858-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Sylvain Beucler
September 02, 2024                            https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : ruby2.7
Version        : 2.7.4-1+deb11u2
CVE ID         : CVE-2021-33621 CVE-2022-28739 CVE-2023-28755 CVE-2023-28756 
                 CVE-2023-36617 CVE-2024-27280 CVE-2024-27281 CVE-2024-27282
Debian Bug     : 1009957 1024799 1038408 1067802 1069966 1069968

Several vulnerabilities have been discovered in the interpreter for
the Ruby language, which may result in denial-of-service (DoS),
information leak, and remote code execution.

CVE-2021-33621

    The cgi gem allows HTTP response splitting. This is relevant to
    applications that use untrusted user input either to generate an
    HTTP response or to create a CGI::Cookie object.

CVE-2022-28739

    Buffer over-read occurs in String-to-Float conversion, including
    Kernel#Float and String#to_f.

CVE-2023-28755

    A ReDoS issue was discovered in the URI component. The URI parser
    mishandles invalid URLs that have specific characters. It causes
    an increase in execution time for parsing strings to URI objects.

CVE-2023-28756

    A ReDoS issue was discovered in the Time component. The Time
    parser mishandles invalid URLs that have specific characters. It
    causes an increase in execution time for parsing strings to Time
    objects.

CVE-2023-36617

    Follow-up fix for CVE-2023-28755.

CVE-2024-27280

    A buffer-overread issue was discovered in StringIO. The ungetbyte
    and ungetc methods on a StringIO can read past the end of a
    string, and a subsequent call to StringIO.gets may return the
    memory value.

CVE-2024-27281

    When parsing .rdoc_options (used for configuration in RDoc) as a
    YAML file, object injection and resultant remote code execution
    are possible because there are no restrictions on the classes that
    can be restored. (When loading the documentation cache, object
    injection and resultant remote code execution are also possible if
    there were a crafted cache.)

CVE-2024-27282

    If attacker-supplied data is provided to the Ruby regex compiler,
    it is possible to extract arbitrary heap data relative to the
    start of the text, including pointers and sensitive strings.

For Debian 11 bullseye, these problems have been fixed in version
2.7.4-1+deb11u2.

We recommend that you upgrade your ruby2.7 packages.

For the detailed security status of ruby2.7 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby2.7

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Debian LTS: DLA-3858-1: ruby2.7 Security Advisory Updates

September 2, 2024
Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may result in denial-of-service (DoS), information leak, and remote code execution

Summary

CVE-2021-33621

The cgi gem allows HTTP response splitting. This is relevant to
applications that use untrusted user input either to generate an
HTTP response or to create a CGI::Cookie object.

CVE-2022-28739

Buffer over-read occurs in String-to-Float conversion, including
Kernel#Float and String#to_f.

CVE-2023-28755

A ReDoS issue was discovered in the URI component. The URI parser
mishandles invalid URLs that have specific characters. It causes
an increase in execution time for parsing strings to URI objects.

CVE-2023-28756

A ReDoS issue was discovered in the Time component. The Time
parser mishandles invalid URLs that have specific characters. It
causes an increase in execution time for parsing strings to Time
objects.

CVE-2023-36617

Follow-up fix for CVE-2023-28755.

CVE-2024-27280

A buffer-overread issue was discovered in StringIO. The ungetbyte
and ungetc methods on a StringIO can read past the end of a
string, and a subsequent call to StringIO.gets may return the
memory value.

CVE-2024-27281

When parsing .rdoc_options (used for configuration in RDoc) as a
YAML file, object injection and resultant remote code execution
are possible because there are no restrictions on the classes that
can be restored. (When loading the documentation cache, object
injection and resultant remote code execution are also possible if
there were a crafted cache.)

CVE-2024-27282

If attacker-supplied data is provided to the Ruby regex compiler,
it is possible to extract arbitrary heap data relative to the
start of the text, including pointers and sensitive strings.

For Debian 11 bullseye, these problems have been fixed in version
2.7.4-1+deb11u2.

We recommend that you upgrade your ruby2.7 packages.

For the detailed security status of ruby2.7 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby2.7

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Severity
Package : ruby2.7
Version : 2.7.4-1+deb11u2
CVE ID : CVE-2021-33621 CVE-2022-28739 CVE-2023-28755 CVE-2023-28756
Debian Bug : 1009957 1024799 1038408 1067802 1069966 1069968

Related News

Fighting Back Against Hadooken Malware by Strengthening WebLogic Security
2 - 4 min read
Cybercriminals have been relentlessly attacking the digital landscape, aiming to exploit vulnerabilities in well-known systems. One such exploit is
CISA Sounds Alarm on Newly Exploited Vulnerabilities: Is Your System at Risk?
3 - 5 min read
CISA regularly publishes updates regarding vulnerabilities that present severe threats to global cybersecurity. Recently, CISA added three
Defending Against Remote Code Execution in Google Chrome: A Critical Update
2 - 3 min read
Google Chrome, a widely used web browser, serves millions of internet users by connecting them to the online world. Unfortunately, severe
Navigating the Linux Kernel
2 - 4 min read
The Linux operating system, widely acclaimed for its robustness and security , recently received widespread media attention due to a significant
Staying a Step Ahead of Adversaries: Mitigating Chromium
2 - 4 min read
Google Chrome, one of the world's most widely used web browsers, has recently been scrutinized due to the discovery of multiple Chromium
Unmasking Cicada3301: Examining the Threat of the New Rust-Based Ransomware
2 - 4 min read
Ransomware has long been a severe threat to organizations and admins alike. Recently, cybersecurity researchers discovered a new variant called
Buffer Overflow Exploits in Linux: Origins, Impact, and Countermeasures
3 - 6 min read
Buffer overflow vulnerabilities have long been one of the biggest headaches in computer security, especially on Linux operating systems that power
8 Expert-Recommended Security Practices to Fortify Your Linux Systems
4 - 8 min read
As a Linux admin or an infosec professional, you understand how the security landscape changes due to evolving threats, newly discovered

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved