4.Lock AbstractDigital

Two important security bugs have been found in Ruby. It was discovered that an HTTP response splitting flaw exists in the Ruby cgi gem before, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 (CVE-2021-3362). It was also discovered that a buffer over-read occurs in String-to-Float conversion in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2 (CVE-2022-28739). With a low attack complexity and a high confidentiality and integrity impact, these bugs have received a National Vulnerability Database severity rating of “High”.

An attacker could exploit these flaws to maliciously modify the response a user would receive from a vulnerable application, or to expose sensitive information.

A Ruby security update has been released that mitigates these issues. We strongly recommend that all impacted users apply the Ruby updates issued by their distro(s) immediately to protect against attacks threatening the confidentiality and integrity of their systems and their sensitive data.

To stay on top of important updates released by the open-source programs and applications you use, be sure to register as a LinuxSecurity user, then subscribe to our Linux Advisory Watch newsletter and customize your advisories for the distro(s) you use. This will enable you to stay up-to-date on the latest, most significant issues impacting the security of your systems.

Follow @LS_Advisories on Twitter for real-time updates on advisories for your distro(s).