#15249 closed enhancement (fixed)
ruby-3.0.2
| Reported by: | Bruce Dubbs | Owned by: | Bruce Dubbs |
|---|---|---|---|
| Priority: | elevated | Milestone: | 11.0 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New point version.
Change History (5)
comment:1 by , 3 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 3 years ago
comment:3 by , 3 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed at commit e6b445c47c7e44c08a01bdf054b49822d51b7f4c
Package Updates.
Update to ruby-3.0.2.
Update to bluez-5.60.
Update to libuv-1.41.1.
Update to libbytesize-2.6.
Update to mariadb-10.6.3.
comment:4 by , 3 years ago
| Priority: | normal → elevated |
|---|
Note:
See TracTickets
for help on using tickets.
Ruby 3.0.2 has been released.
This release includes security fixes. Please check the topics below for details.
A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes Net::FTP extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions). Medium.
Net::IMAP does not raise an exception when StartTLS fails with an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.” Base Score 6.5.
RDoc used to call Kernel#open to open a local file. If a Ruby project has a file whose name starts with | and ends with tags, the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user who attempts to run rdoc command. Score 8.4.