Security update for rubygem-excon SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0036-1 Final 1 1 2020-01-13T15:21:02Z current 2020-01-13T15:21:02Z 2020-01-13T15:21:02Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for rubygem-excon This update for rubygem-excon fixes the following issues: CVE-2019-16779 (boo#1159342): Fix a race condition around persistent connections, where a connection, which was interrupted, would leave data on the socket. Subsequent requests would then read this data, returning content from the previous response. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-36 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZGWO6G7VLDG32O4P5HJNHJHSO3NC52T5/ E-Mail link for openSUSE-SU-2020:0036-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1159342 SUSE Bug 1159342 https://www.suse.com/security/cve/CVE-2019-16779/ SUSE CVE CVE-2019-16779 page openSUSE Leap 15.1 ruby2.5-rubygem-excon-0.59.0-lp151.3.3.1 ruby2.5-rubygem-excon-doc-0.59.0-lp151.3.3.1 ruby2.5-rubygem-excon-testsuite-0.59.0-lp151.3.3.1 ruby2.5-rubygem-excon-0.59.0-lp151.3.3.1 as a component of openSUSE Leap 15.1 ruby2.5-rubygem-excon-doc-0.59.0-lp151.3.3.1 as a component of openSUSE Leap 15.1 ruby2.5-rubygem-excon-testsuite-0.59.0-lp151.3.3.1 as a component of openSUSE Leap 15.1 In RubyGem excon before 0.71.0, there was a race condition around persistent connections, where a connection which is interrupted (such as by a timeout) would leave data on the socket. Subsequent requests would then read this data, returning content from the previous response. The race condition window appears to be short, and it would be difficult to purposefully exploit this. CVE-2019-16779 openSUSE Leap 15.1:ruby2.5-rubygem-excon-0.59.0-lp151.3.3.1 openSUSE Leap 15.1:ruby2.5-rubygem-excon-doc-0.59.0-lp151.3.3.1 openSUSE Leap 15.1:ruby2.5-rubygem-excon-testsuite-0.59.0-lp151.3.3.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZGWO6G7VLDG32O4P5HJNHJHSO3NC52T5/ https://www.suse.com/security/cve/CVE-2019-16779.html CVE-2019-16779 https://bugzilla.suse.com/1159342 SUSE Bug 1159342