This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============4211339775080738195==
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature";
boundary="TvW572R9GMjI4WEJYbgJycElUHUsF3Zpp"
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--TvW572R9GMjI4WEJYbgJycElUHUsF3Zpp
Content-Type: multipart/mixed; boundary="y95VITHOFODVUzmbZdtRJZW1dSBorKVIn";
protected-headers="v1"
From: Marc Deslauriers
Reply-To: Ubuntu Security
To: "ubuntu-security-announce@lists.ubuntu.com"
Message-ID: <99cc32ad-fb5f-c623-b705-0c90369d05b2@canonical.com>
Subject: [USN-4882-1] Ruby vulnerabilities
--y95VITHOFODVUzmbZdtRJZW1dSBorKVIn
Content-Type: text/plain; charset=utf-8
Content-Language: en-C
Content-Transfer-Encoding: quoted-printable
==========================================================================
Ubuntu Security Notice USN-4882-1
March 18, 2021
ruby2.3, ruby2.5, ruby2.7 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in Ruby.
Software Description:
- ruby2.7: Object-oriented scripting language
- ruby2.5: Object-oriented scripting language
- ruby2.3: Object-oriented scripting language
Details:
It was discovered that the Ruby JSON gem incorrectly handled certain JSON
files. If a user or automated system were tricked into parsing a specially
crafted JSON file, a remote attacker could use this issue to execute
arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04
LTS. (CVE-2020-10663)
It was discovered that Ruby incorrectly handled certain socket memory
operations. A remote attacker could possibly use this issue to obtain
sensitive information. This issue only affected Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2020-10933)
It was discovered that Ruby incorrectly handled certain transfer-encoding
headers when using Webrick. A remote attacker could possibly use this issue
to bypass a reverse proxy. (CVE-2020-25613)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.10:
libruby2.7 2.7.1-3ubuntu1.2
ruby2.7 2.7.1-3ubuntu1.2
Ubuntu 20.04 LTS:
libruby2.7 2.7.0-5ubuntu1.3
ruby2.7 2.7.0-5ubuntu1.3
Ubuntu 18.04 LTS:
libruby2.5 2.5.1-1ubuntu1.8
ruby2.5 2.5.1-1ubuntu1.8
Ubuntu 16.04 LTS:
libruby2.3 2.3.1-2~ubuntu16.04.15
ruby2.3 2.3.1-2~ubuntu16.04.15
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-4882-1
CVE-2020-10663, CVE-2020-10933, CVE-2020-25613
Package Information:
https://launchpad.net/ubuntu/+source/ruby2.7/2.7.1-3ubuntu1.2
https://launchpad.net/ubuntu/+source/ruby2.7/2.7.0-5ubuntu1.3
https://launchpad.net/ubuntu/+source/ruby2.5/2.5.1-1ubuntu1.8
https://launchpad.net/ubuntu/+source/ruby2.3/2.3.1-2~ubuntu16.04.15
--y95VITHOFODVUzmbZdtRJZW1dSBorKVIn--
--TvW572R9GMjI4WEJYbgJycElUHUsF3Zpp
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmBTjhAACgkQZWnYVadE
vpOUbBAAtcZofbWnTLcT+3NU8tumgnnIDxICwL81WIFJme0CtC88l1GpHrMnzG2d
Z/i65SZZPz1Qmb4ReIUXv+2mYpRUnTBHKP6Uvp/9A158CJ625D+EZDQlFrHPOB7m
TVpYMqgyrxeQef0uG7CP1klcUpGIM/AraZ6XQa7rKnasXypccllwgATIg5G3kvY5
54VD8SiCZo5iKf4BLc5HrMyP7BnxCxqA5dsKPaFIyuMCCwcboryioYRle9rr8qes
BgYpIZOVF8Xx0+mUfBS3UN+mewaCzIn+WHdYtA2YOdCxT5+tJ7/faAIk1+b4C5ah
oopCHQ5miGWHsItv7hA7Xii/ez3PCYCqD+DuF2wLqkDWDsCsNcFZdnigZ+wyR1Xm
oPBZ4aMhOsjuHFJZdUFx6dVQvZQNzTKL1/wirnFPnW0OjW2M5i36MiNMjN30rKGV
5tNeLGQ1CJIb3Op7XadX9W8MdUVzV7JfZcoeYhC2x4eNqojnT56r3DnjrTTpifGH
U993kPhAG2rwRoR98dHDznu/gD5NDcJ01ysISwk/2vIbQZCZ4SzFaaVRnoT2qRFM
C1uxTkIdgymc4ANjn7Csq7zdWosBj9IVdIuYbJwjWwOMwsBO90L2rUQc8F/wV52Y
Z/wLJg7IuEOUNhL4O1Sw83YXkLPnEBXpCnvrNx1HiUUMNSJj4yg=
=vB4l
-----END PGP SIGNATURE-----
--TvW572R9GMjI4WEJYbgJycElUHUsF3Zpp--
--===============4211339775080738195==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline
LS0gCnVidW50dS1zZWN1cml0eS1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKdWJ1bnR1LXNlY3VyaXR5
LWFubm91bmNlQGxpc3RzLnVidW50dS5jb20KTW9kaWZ5IHNldHRpbmdzIG9yIHVuc3Vic2NyaWJl
IGF0OiBodHRwczovL2xpc3RzLnVidW50dS5jb20vbWFpbG1hbi9saXN0aW5mby91YnVudHUtc2Vj
dXJpdHktYW5ub3VuY2UK
--===============4211339775080738195==--
|