Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 573
Alerts This Week
Warning Icon 1 573

Ubuntu 20.10 LTS: USN-4882-1 Critical: Ruby Code Execution Issue

ubuntu
Calendar Grey March 18, 2021
Dist Ubuntu Esm H88
Numerous vulnerabilities concerning Ruby have been resolved in Ubuntu 20.10, 20.04, 18.04, and 16.04 LTS, with essential patches issued.
Several security issues were fixed in Ruby.

Summary

Several security issues were fixed in Ruby.

Software Description:

- ruby2.7: Object-oriented scripting language

- ruby2.5: Object-oriented scripting language

- ruby2.3: Object-oriented scripting language

Details:

It was discovered that the Ruby JSON gem incorrectly handled certain JSON

files. If a user or automated system were tricked into parsing a specially

crafted JSON file, a remote attacker could use this issue to execute

arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04

LTS. (CVE-2020-10663)

It was discovered that Ruby incorrectly handled certain socket memory

operations. A remote attacker could possibly use this issue to obtain

sensitive information. This issue only affected Ubuntu 18.04 LTS and

Ubuntu 20.04 LTS. (CVE-2020-10933)

It was discovered that Ruby incorrectly handled certain transfer-encoding

headers when using Webrick. A remote attacker could possibly use this issue

to bypass a reverse proxy. (CVE-2020-25613)

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.10:
  libruby2.7                      2.7.1-3ubuntu1.2
  ruby2.7                         2.7.1-3ubuntu1.2

Ubuntu 20.04 LTS:
  libruby2.7                      2.7.0-5ubuntu1.3
  ruby2.7                         2.7.0-5ubuntu1.3

Ubuntu 18.04 LTS:
  libruby2.5                      2.5.1-1ubuntu1.8
  ruby2.5                         2.5.1-1ubuntu1.8

Ubuntu 16.04 LTS:
  libruby2.3                      2.3.1-2~ubuntu16.04.15
  ruby2.3                         2.3.1-2~ubuntu16.04.15

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-4882-1

CVE-2020-10663, CVE-2020-10933, CVE-2020-25613

Severity
critical
Lowest
Low
Medium
High
Critical

March 18, 2021

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.