Alerts This Week
Warning Icon 1 727
Alerts This Week
Warning Icon 1 727

Red Hat Enterprise Linux 8 RHSA-2021-2588 Moderate: Ruby Fix

red hat
Calendar Grey June 29, 2021
Dist Redhat Esm H88
Keep informed about Red Hat's newest guidance on security and bug fixes for ruby:2.6 categorized as moderate.
An update for the ruby:2.6 module is now available for Red Hat Enterprise Linux 8

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Summary

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.
The following packages have been upgraded to a later upstream version: ruby (2.6.7). (BZ#1952627)
Security Fix(es):
* rubygem-bundler: Insecure permissions on directory in /tmp/ allows for execution of malicious code (CVE-2019-3881)
* ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch? (CVE-2019-15845)
* ruby: Regular expression denial of service vulnerability of WEBrick's Digest authentication (CVE-2019-16201)
* ruby: Code injection via command argument of Shell#test / Shell#[] (CVE-2019-16255)
* rubygem-json: Unsafe object creation vulnerability in JSON (CVE-2020-10663)
* ruby: BasicSocket#read_nonblock method leads to information disclosure (CVE-2020-10933)
* ruby: Potential HTTP request smuggling in WEBrick (CVE-2020-25613)
* ruby: XML round-trip vulnerability in REXML (CVE-2021-28965)
* ruby: HTTP response splitting in WEBrick (CVE-2019-16254)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* Resolv::DNS: ruby:2.6/ruby: timeouts if multiple IPv6 name servers are given and address contains leading zero [rhel-8] (BZ#1954968)

Topics%20covered

Topics Covered

security advisory moderate Red Hat bug fix ruby module

References

https://access.redhat.com/security/cve/CVE-2019-3881 https://access.redhat.com/security/cve/CVE-2019-15845 https://access.redhat.com/security/cve/CVE-2019-16201 https://access.redhat.com/security/cve/CVE-2019-16254 https://access.redhat.com/security/cve/CVE-2019-16255 https://access.redhat.com/security/cve/CVE-2020-10663 https://access.redhat.com/security/cve/CVE-2020-10933 https://access.redhat.com/security/cve/CVE-2020-25613 https://access.redhat.com/security/cve/CVE-2021-28965 https://access.redhat.com/security/updates/classification#moderate

Package List

Red Hat Enterprise Linux AppStream (v. 8):
Source: ruby-2.6.7-107.module+el8.4.0+10830+bbd85cce.src.rpm rubygem-abrt-0.3.0-4.module+el8.1.0+3653+beb38eb0.src.rpm rubygem-bson-4.5.0-1.module+el8.1.0+3653+beb38eb0.src.rpm rubygem-mongo-2.8.0-1.module+el8.1.0+3653+beb38eb0.src.rpm rubygem-mysql2-0.5.2-1.module+el8.1.0+3653+beb38eb0.src.rpm rubygem-pg-1.1.4-1.module+el8.1.0+3653+beb38eb0.src.rpm
aarch64: ruby-2.6.7-107.module+el8.4.0+10830+bbd85cce.aarch64.rpm ruby-debuginfo-2.6.7-107.module+el8.4.0+10830+bbd85cce.aarch64.rpm ruby-debugsource-2.6.7-107.module+el8.4.0+10830+bbd85cce.aarch64.rpm ruby-devel-2.6.7-107.module+el8.4.0+10830+bbd85cce.aarch64.rpm ruby-libs-2.6.7-107.module+el8.4.0+10830+bbd85cce.aarch64.rpm ruby-libs-debuginfo-2.6.7-107.module+el8.4.0+10830+bbd85cce.aarch64.rpm rubygem-bigdecimal-1.4.1-107.module+el8.4.0+10830+bbd85cce.aarch64.rpm rubygem-bigdecimal-debuginfo-1.4.1-107.module+el8.4.0+10830+bbd85cce.aarch64.rpm rubygem-bson-4.5.0-1.module+el8.1.0+3653+beb38eb0.aarch64.rpm rubygem-bson-debuginfo-4.5.0-1.module+el8.1.0+3653+beb38eb0.aarch64.rpm rubygem-bson-debugsource-4.5.0-1.module+el8.1.0+3653+beb38eb0.aarch64.rpm rubygem-io-console-0.4.7-107.module+el8.4.0+10830+bbd85cce.aarch64.rpm

Read the Full Advisory


Advisory ID: RHSA-2021:2588-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:2588
Issue date: 2021-06-29

Topic

An update for the ruby:2.6 module is now available for Red Hat EnterpriseLinux 8.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory moderate Red Hat bug fix ruby module

Relevant Releases Architectures

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

Bugs Fixed

1651826 - CVE-2019-3881 rubygem-bundler: Insecure permissions on directory in /tmp/ allows for execution of malicious code

1773728 - CVE-2019-16201 ruby: Regular expression denial of service vulnerability of WEBrick's Digest authentication

1789407 - CVE-2019-15845 ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch?

1789556 - CVE-2019-16254 ruby: HTTP response splitting in WEBrick

1793683 - CVE-2019-16255 ruby: Code injection via command argument of Shell#test / Shell#[]

1827500 - CVE-2020-10663 rubygem-json: Unsafe object creation vulnerability in JSON

1833291 - CVE-2020-10933 ruby: BasicSocket#read_nonblock method leads to information disclosure

1883623 - CVE-2020-25613 ruby: Potential HTTP request smuggling in WEBrick

1947526 - CVE-2021-28965 ruby: XML round-trip vulnerability in REXML

1952627 - Rebase to the latest Ruby 2.6 point release [rhel-8] [rhel-8.4.0.z]

1954968 - Resolv::DNS: ruby:2.6/ruby: timeouts if multiple IPv6 name servers are given and address contains leading zero [rhel-8] [rhel-8.4.0.z]

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here