Opened 19 months ago

Closed 19 months ago

Last modified 18 months ago

#15249 closed enhancement (fixed)

ruby-3.0.2

Reported by: Bruce Dubbs Owned by: Bruce Dubbs
Priority: elevated Milestone: 11.0
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (5)

comment:1 by Bruce Dubbs, 19 months ago

Owner: changed from blfs-book to Bruce Dubbs
Status: newassigned

comment:2 by Bruce Dubbs, 19 months ago

Ruby 3.0.2 has been released.

This release includes security fixes. Please check the topics below for details.

  • CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP

A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes Net::FTP extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions). Medium.

  • CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP

Net::IMAP does not raise an exception when StartTLS fails with an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.” Base Score 6.5.

  • CVE-2021-31799: A command injection vulnerability in RDoc

RDoc used to call Kernel#open to open a local file. If a Ruby project has a file whose name starts with | and ends with tags, the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user who attempts to run rdoc command. Score 8.4.

comment:3 by Bruce Dubbs, 19 months ago

Resolution: fixed
Status: assignedclosed

Fixed at commit e6b445c47c7e44c08a01bdf054b49822d51b7f4c

Package Updates.
    Update to ruby-3.0.2. 
    Update to bluez-5.60. 
    Update to libuv-1.41.1. 
    Update to libbytesize-2.6.
    Update to mariadb-10.6.3. 

comment:4 by Douglas R. Reno, 19 months ago

Priority: normalelevated

comment:5 by Bruce Dubbs, 18 months ago

Milestone: 10.211.0

Milestone renamed

Note: See TracTickets for help on using tickets.