Login
Newsletter
Werbung

Sicherheit: Mehrere Probleme in Ruby
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in Ruby
ID: USN-4882-1
Distribution: Ubuntu
Plattformen: Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 20.10
Datum: Do, 18. März 2021, 23:30
Referenzen: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10933
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10663
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25613
Applikationen: Ruby

Originalnachricht

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============4211339775080738195==
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature";
boundary="TvW572R9GMjI4WEJYbgJycElUHUsF3Zpp"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--TvW572R9GMjI4WEJYbgJycElUHUsF3Zpp
Content-Type: multipart/mixed;
boundary="y95VITHOFODVUzmbZdtRJZW1dSBorKVIn";
protected-headers="v1"
From: Marc Deslauriers <marc.deslauriers@canonical.com>
Reply-To: Ubuntu Security <security@ubuntu.com>
To: "ubuntu-security-announce@lists.ubuntu.com"
<ubuntu-security-announce@lists.ubuntu.com>
Message-ID: <99cc32ad-fb5f-c623-b705-0c90369d05b2@canonical.com>
Subject: [USN-4882-1] Ruby vulnerabilities

--y95VITHOFODVUzmbZdtRJZW1dSBorKVIn
Content-Type: text/plain; charset=utf-8
Content-Language: en-C
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-4882-1
March 18, 2021

ruby2.3, ruby2.5, ruby2.7 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in Ruby.

Software Description:
- ruby2.7: Object-oriented scripting language
- ruby2.5: Object-oriented scripting language
- ruby2.3: Object-oriented scripting language

Details:

It was discovered that the Ruby JSON gem incorrectly handled certain JSON
files. If a user or automated system were tricked into parsing a specially
crafted JSON file, a remote attacker could use this issue to execute
arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04
LTS. (CVE-2020-10663)

It was discovered that Ruby incorrectly handled certain socket memory
operations. A remote attacker could possibly use this issue to obtain
sensitive information. This issue only affected Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2020-10933)

It was discovered that Ruby incorrectly handled certain transfer-encoding
headers when using Webrick. A remote attacker could possibly use this issue
to bypass a reverse proxy. (CVE-2020-25613)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.10:
libruby2.7 2.7.1-3ubuntu1.2
ruby2.7 2.7.1-3ubuntu1.2

Ubuntu 20.04 LTS:
libruby2.7 2.7.0-5ubuntu1.3
ruby2.7 2.7.0-5ubuntu1.3

Ubuntu 18.04 LTS:
libruby2.5 2.5.1-1ubuntu1.8
ruby2.5 2.5.1-1ubuntu1.8

Ubuntu 16.04 LTS:
libruby2.3 2.3.1-2~ubuntu16.04.15
ruby2.3 2.3.1-2~ubuntu16.04.15

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-4882-1
CVE-2020-10663, CVE-2020-10933, CVE-2020-25613

Package Information:
https://launchpad.net/ubuntu/+source/ruby2.7/2.7.1-3ubuntu1.2
https://launchpad.net/ubuntu/+source/ruby2.7/2.7.0-5ubuntu1.3
https://launchpad.net/ubuntu/+source/ruby2.5/2.5.1-1ubuntu1.8
https://launchpad.net/ubuntu/+source/ruby2.3/2.3.1-2~ubuntu16.04.15


--y95VITHOFODVUzmbZdtRJZW1dSBorKVIn--

--TvW572R9GMjI4WEJYbgJycElUHUsF3Zpp
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmBTjhAACgkQZWnYVadE
vpOUbBAAtcZofbWnTLcT+3NU8tumgnnIDxICwL81WIFJme0CtC88l1GpHrMnzG2d
Z/i65SZZPz1Qmb4ReIUXv+2mYpRUnTBHKP6Uvp/9A158CJ625D+EZDQlFrHPOB7m
TVpYMqgyrxeQef0uG7CP1klcUpGIM/AraZ6XQa7rKnasXypccllwgATIg5G3kvY5
54VD8SiCZo5iKf4BLc5HrMyP7BnxCxqA5dsKPaFIyuMCCwcboryioYRle9rr8qes
BgYpIZOVF8Xx0+mUfBS3UN+mewaCzIn+WHdYtA2YOdCxT5+tJ7/faAIk1+b4C5ah
oopCHQ5miGWHsItv7hA7Xii/ez3PCYCqD+DuF2wLqkDWDsCsNcFZdnigZ+wyR1Xm
oPBZ4aMhOsjuHFJZdUFx6dVQvZQNzTKL1/wirnFPnW0OjW2M5i36MiNMjN30rKGV
5tNeLGQ1CJIb3Op7XadX9W8MdUVzV7JfZcoeYhC2x4eNqojnT56r3DnjrTTpifGH
U993kPhAG2rwRoR98dHDznu/gD5NDcJ01ysISwk/2vIbQZCZ4SzFaaVRnoT2qRFM
C1uxTkIdgymc4ANjn7Csq7zdWosBj9IVdIuYbJwjWwOMwsBO90L2rUQc8F/wV52Y
Z/wLJg7IuEOUNhL4O1Sw83YXkLPnEBXpCnvrNx1HiUUMNSJj4yg=
=vB4l
-----END PGP SIGNATURE-----

--TvW572R9GMjI4WEJYbgJycElUHUsF3Zpp--


--===============4211339775080738195==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

LS0gCnVidW50dS1zZWN1cml0eS1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKdWJ1bnR1LXNlY3VyaXR5
LWFubm91bmNlQGxpc3RzLnVidW50dS5jb20KTW9kaWZ5IHNldHRpbmdzIG9yIHVuc3Vic2NyaWJl
IGF0OiBodHRwczovL2xpc3RzLnVidW50dS5jb20vbWFpbG1hbi9saXN0aW5mby91YnVudHUtc2Vj
dXJpdHktYW5ub3VuY2UK

--===============4211339775080738195==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung