Alerts This Week
Warning Icon 1 535
Alerts This Week
Warning Icon 1 535

Fedora 34: 2021-36cdab1f8d Critical: Ruby Command Injection and FTP Issues

fedora
Calendar Grey July 28, 2021
Dist Fedora Esm H88
Resolves urgent vulnerabilities within Ruby on Fedora 34, tackling risks related to command exploitation and FTP link weaknesses.
Security fix for CVE-2020-36327 CVE-2021-31799 CVE-2021-31810 CVE-2021-32066

Summary

Ruby is the interpreted scripting language for quick and easy

object-oriented programming. It has many features to process text

files and to do system management tasks (as in Perl). It is simple,

straight-forward, and extensible.

Security fix for CVE-2020-36327 CVE-2021-31799 CVE-2021-31810 CVE-2021-32066

* Tue Jul 13 2021 Jarek Prokop - 3.0.2-149

- Upgrade to Ruby 3.0.2.

- Fix command injection vulnerability in RDoc.

Resolves: CVE-2021-31799

- Fix FTP PASV command response can cause Net::FTP to connect to arbitrary host.

Resolves: CVE-2021-31810

- Fix StartTLS stripping vulnerability in Net::IMAP.

Resolves: CVE-2021-32066

- Fix dependencies of gems with explicit source installed from a different

source.

Resolves: CVE-2020-36327

[ 1 ] Bug #1958999 - CVE-2020-36327 rubygem-bundler: Dependencies of gems with explicit source may be installed from a different source

https://bugzilla.redhat.com/show_bug.cgi?id=1958999

[ 2 ] Bug #1980126 - CVE-2021-31810 ruby: FTP PASV command response can cause Net::FTP to connect to arbitrary host

https://bugzilla.redhat.com/show_bug.cgi?id=1980126

[ 3 ] Bug #1980128 - CVE-2021-32066 ruby: StartTLS stripping vulnerability in Net::IMAP

https://bugzilla.redhat.com/show_bug.cgi?id=1980128

[ 4 ] Bug #1980132 - CVE-2021-31799 rubygem-rdoc: Command injection vulnerability in RDoc

https://bugzilla.redhat.com/show_bug.cgi?id=1980132

su -c 'dnf upgrade --advisory FEDORA-2021-36cdab1f8d' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

Topics%20covered

Topics Covered

security advisory fedora critical ruby command injection ftp issues starttls stripping

Change Log

References

Update Instructions

Severity
critical
Lowest
Low
Medium
High
Critical

Product: Fedora 34
Version: 3.0.2
Release: 149.fc34
URL: https://www.ruby-lang.org/
Summary: An interpreter of object-oriented scripting language

Topics%20covered

Topics Covered

security advisory fedora critical ruby command injection ftp issues starttls stripping

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here