Alerts This Week
Warning Icon 1 714
Alerts This Week
Warning Icon 1 714

Red Hat 8: RHSA-2021:2587-01 Moderate: Ruby 2.5 Security Patch

red hat
Calendar Grey June 29, 2021
Dist Redhat Esm H88
Minimal security enhancements for ruby:2.5 in Red Hat 8 consist of remedies for NUL injection and service interruption weaknesses.
An update for the ruby:2.5 module is now available for Red Hat Enterprise Linux 8

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Summary

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.
The following packages have been upgraded to a later upstream version: ruby (2.5.9). (BZ#1952626)
Security Fix(es):
* ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch? (CVE-2019-15845)
* ruby: Regular expression denial of service vulnerability of WEBrick's Digest authentication (CVE-2019-16201)
* ruby: Code injection via command argument of Shell#test / Shell#[] (CVE-2019-16255)
* rubygem-json: Unsafe object creation vulnerability in JSON (CVE-2020-10663)
* ruby: BasicSocket#read_nonblock method leads to information disclosure (CVE-2020-10933)
* ruby: Potential HTTP request smuggling in WEBrick (CVE-2020-25613)
* ruby: XML round-trip vulnerability in REXML (CVE-2021-28965)
* ruby: HTTP response splitting in WEBrick (CVE-2019-16254)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Topics%20covered

Topics Covered

security advisory Red Hat bug fix DoS ruby medium impact NUL injection

References

https://access.redhat.com/security/cve/CVE-2019-15845 https://access.redhat.com/security/cve/CVE-2019-16201 https://access.redhat.com/security/cve/CVE-2019-16254 https://access.redhat.com/security/cve/CVE-2019-16255 https://access.redhat.com/security/cve/CVE-2020-10663 https://access.redhat.com/security/cve/CVE-2020-10933 https://access.redhat.com/security/cve/CVE-2020-25613 https://access.redhat.com/security/cve/CVE-2021-28965 https://access.redhat.com/security/updates/classification#moderate

Package List

Red Hat Enterprise Linux AppStream (v. 8):
Source: ruby-2.5.9-107.module+el8.4.0+10822+fe4fffb1.src.rpm rubygem-abrt-0.3.0-4.module+el8.1.0+3656+f80bfa1d.src.rpm rubygem-bson-4.3.0-2.module+el8.1.0+3656+f80bfa1d.src.rpm rubygem-bundler-1.16.1-3.module+el8.1.0+3656+f80bfa1d.src.rpm rubygem-mongo-2.5.1-2.module+el8.1.0+3656+f80bfa1d.src.rpm rubygem-mysql2-0.4.10-4.module+el8.1.0+3656+f80bfa1d.src.rpm rubygem-pg-1.0.0-2.module+el8.1.0+3656+f80bfa1d.src.rpm
aarch64: ruby-2.5.9-107.module+el8.4.0+10822+fe4fffb1.aarch64.rpm ruby-debuginfo-2.5.9-107.module+el8.4.0+10822+fe4fffb1.aarch64.rpm ruby-debugsource-2.5.9-107.module+el8.4.0+10822+fe4fffb1.aarch64.rpm ruby-devel-2.5.9-107.module+el8.4.0+10822+fe4fffb1.aarch64.rpm ruby-libs-2.5.9-107.module+el8.4.0+10822+fe4fffb1.aarch64.rpm ruby-libs-debuginfo-2.5.9-107.module+el8.4.0+10822+fe4fffb1.aarch64.rpm rubygem-bigdecimal-1.3.4-107.module+el8.4.0+10822+fe4fffb1.aarch64.rpm rubygem-bigdecimal-debuginfo-1.3.4-107.module+el8.4.0+10822+fe4fffb1.aarch64.rpm rubygem-bson-4.3.0-2.module+el8.1.0+3656+f80bfa1d.aarch64.rpm rubygem-bson-debuginfo-4.3.0-2.module+el8.1.0+3656+f80bfa1d.aarch64.rpm rubygem-bson-debugsource-4.3.0-2.module+el8.1.0+3656+f80bfa1d.aarch64.rpm rubygem-io-console-0.4.6-107.module+el8.4.0+10822+fe4fffb1.aarch64.rpm

Read the Full Advisory


Advisory ID: RHSA-2021:2587-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:2587
Issue date: 2021-06-29

Topic

An update for the ruby:2.5 module is now available for Red Hat EnterpriseLinux 8.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory Red Hat bug fix DoS ruby medium impact NUL injection

Relevant Releases Architectures

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

Bugs Fixed

1773728 - CVE-2019-16201 ruby: Regular expression denial of service vulnerability of WEBrick's Digest authentication

1789407 - CVE-2019-15845 ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch?

1789556 - CVE-2019-16254 ruby: HTTP response splitting in WEBrick

1793683 - CVE-2019-16255 ruby: Code injection via command argument of Shell#test / Shell#[]

1827500 - CVE-2020-10663 rubygem-json: Unsafe object creation vulnerability in JSON

1833291 - CVE-2020-10933 ruby: BasicSocket#read_nonblock method leads to information disclosure

1883623 - CVE-2020-25613 ruby: Potential HTTP request smuggling in WEBrick

1947526 - CVE-2021-28965 ruby: XML round-trip vulnerability in REXML

1952626 - Rebase to the latest Ruby 2.5 point release [rhel-8] [rhel-8.4.0.z]

1955010 - Resolv::DNS: ruby:2.5/ruby: timeouts if multiple IPv6 name servers are given and address contains leading zero [rhel-8] [rhel-8.4.0.z]

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here