Security update for ruby2.5 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:1535-1 Final 1 1 2021-12-06T12:33:07Z current 2021-12-06T12:33:07Z 2021-12-06T12:33:07Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ruby2.5 This update for ruby2.5 fixes the following issues: - CVE-2021-31799: Fixed Command injection vulnerability in RDoc (bsc#1190375). - CVE-2021-31810: Fixed trusting FTP PASV responses vulnerability in Net:FTP (bsc#1188161). - CVE-2021-32066: Fixed StartTLS stripping vulnerability in Net:IMAP (bsc#1188160). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-1535 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SFO6LZPCK3BJ6OA3FTD3UWQI47BKDQBA/ E-Mail link for openSUSE-SU-2021:1535-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1188160 SUSE Bug 1188160 https://bugzilla.suse.com/1188161 SUSE Bug 1188161 https://bugzilla.suse.com/1190375 SUSE Bug 1190375 https://www.suse.com/security/cve/CVE-2021-31799/ SUSE CVE CVE-2021-31799 page https://www.suse.com/security/cve/CVE-2021-31810/ SUSE CVE CVE-2021-31810 page https://www.suse.com/security/cve/CVE-2021-32066/ SUSE CVE CVE-2021-32066 page openSUSE Leap 15.2 libruby2_5-2_5-2.5.9-lp152.2.9.1 ruby2.5-2.5.9-lp152.2.9.1 ruby2.5-devel-2.5.9-lp152.2.9.1 ruby2.5-devel-extra-2.5.9-lp152.2.9.1 ruby2.5-doc-2.5.9-lp152.2.9.1 ruby2.5-doc-ri-2.5.9-lp152.2.9.1 ruby2.5-stdlib-2.5.9-lp152.2.9.1 libruby2_5-2_5-2.5.9-lp152.2.9.1 as a component of openSUSE Leap 15.2 ruby2.5-2.5.9-lp152.2.9.1 as a component of openSUSE Leap 15.2 ruby2.5-devel-2.5.9-lp152.2.9.1 as a component of openSUSE Leap 15.2 ruby2.5-devel-extra-2.5.9-lp152.2.9.1 as a component of openSUSE Leap 15.2 ruby2.5-doc-2.5.9-lp152.2.9.1 as a component of openSUSE Leap 15.2 ruby2.5-doc-ri-2.5.9-lp152.2.9.1 as a component of openSUSE Leap 15.2 ruby2.5-stdlib-2.5.9-lp152.2.9.1 as a component of openSUSE Leap 15.2 In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename. CVE-2021-31799 openSUSE Leap 15.2:libruby2_5-2_5-2.5.9-lp152.2.9.1 openSUSE Leap 15.2:ruby2.5-2.5.9-lp152.2.9.1 openSUSE Leap 15.2:ruby2.5-devel-2.5.9-lp152.2.9.1 openSUSE Leap 15.2:ruby2.5-devel-extra-2.5.9-lp152.2.9.1 openSUSE Leap 15.2:ruby2.5-doc-2.5.9-lp152.2.9.1 openSUSE Leap 15.2:ruby2.5-doc-ri-2.5.9-lp152.2.9.1 openSUSE Leap 15.2:ruby2.5-stdlib-2.5.9-lp152.2.9.1 important 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SFO6LZPCK3BJ6OA3FTD3UWQI47BKDQBA/ https://www.suse.com/security/cve/CVE-2021-31799.html CVE-2021-31799 https://bugzilla.suse.com/1190375 SUSE Bug 1190375 https://bugzilla.suse.com/1196771 SUSE Bug 1196771 An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions). CVE-2021-31810 openSUSE Leap 15.2:libruby2_5-2_5-2.5.9-lp152.2.9.1 openSUSE Leap 15.2:ruby2.5-2.5.9-lp152.2.9.1 openSUSE Leap 15.2:ruby2.5-devel-2.5.9-lp152.2.9.1 openSUSE Leap 15.2:ruby2.5-devel-extra-2.5.9-lp152.2.9.1 openSUSE Leap 15.2:ruby2.5-doc-2.5.9-lp152.2.9.1 openSUSE Leap 15.2:ruby2.5-doc-ri-2.5.9-lp152.2.9.1 openSUSE Leap 15.2:ruby2.5-stdlib-2.5.9-lp152.2.9.1 important 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SFO6LZPCK3BJ6OA3FTD3UWQI47BKDQBA/ https://www.suse.com/security/cve/CVE-2021-31810.html CVE-2021-31810 https://bugzilla.suse.com/1188161 SUSE Bug 1188161 https://bugzilla.suse.com/1193383 SUSE Bug 1193383 https://bugzilla.suse.com/1205053 SUSE Bug 1205053 An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack." CVE-2021-32066 openSUSE Leap 15.2:libruby2_5-2_5-2.5.9-lp152.2.9.1 openSUSE Leap 15.2:ruby2.5-2.5.9-lp152.2.9.1 openSUSE Leap 15.2:ruby2.5-devel-2.5.9-lp152.2.9.1 openSUSE Leap 15.2:ruby2.5-devel-extra-2.5.9-lp152.2.9.1 openSUSE Leap 15.2:ruby2.5-doc-2.5.9-lp152.2.9.1 openSUSE Leap 15.2:ruby2.5-doc-ri-2.5.9-lp152.2.9.1 openSUSE Leap 15.2:ruby2.5-stdlib-2.5.9-lp152.2.9.1 important 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SFO6LZPCK3BJ6OA3FTD3UWQI47BKDQBA/ https://www.suse.com/security/cve/CVE-2021-32066.html CVE-2021-32066 https://bugzilla.suse.com/1188160 SUSE Bug 1188160 https://bugzilla.suse.com/1196771 SUSE Bug 1196771 https://bugzilla.suse.com/1205053 SUSE Bug 1205053