Ubuntu has issued an advisory on April 20: https://ubuntu.com/security/notices/USN-4922-1 The issue is fixed upstream in 2.7.3. Ubuntu has a patch for 2.5.x. Mageia 7 and Mageia 8 are also affected.
Status comment: (none) => Fixed upstream in 2.7.3Whiteboard: (none) => MGA8TOO, MGA7TOO
Fedora has issued an advisory for this on April 17: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VF3QUOV6OJPCL64ZDHTQRENRJQZPZO6S/
openSUSE has issued an advisory for this on April 24: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CMW3G6JZK6A7ZRJZ7VOMELHWOQBYPIOY/
Removing Mageia 7 from whiteboard due to EOL: https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/
Whiteboard: MGA8TOO, MGA7TOO => MGA8TOO
Ubuntu has issued an advisory on July 22: https://ubuntu.com/security/notices/USN-5020-1 The issues are fixed upstream in 2.7.4: https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/ https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/ https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/ https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-7-4-released/
Summary: ruby new security issue CVE-2021-28965 => ruby new security issues CVE-2021-28965, CVE-2021-31799, CVE-2021-31810, CVE-2021-32066Status comment: Fixed upstream in 2.7.3 => Fixed upstream in 2.7.4
Fedora has issued an advisory for this today (July 29): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MWXHK5UUHVSHF7HTHMX6JY3WXDVNIHSL/ It adds CVE-2020-36327 in ruby-bundler, fixed in 2.2.18 (latest is 2.2.20).
Severity: major => criticalSummary: ruby new security issues CVE-2021-28965, CVE-2021-31799, CVE-2021-31810, CVE-2021-32066 => ruby new security issues CVE-2020-36327, CVE-2021-28965, CVE-2021-31799, CVE-2021-31810, CVE-2021-32066
Upstream has issued advisories today (November 24): http://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/ http://www.ruby-lang.org/en/news/2021/11/24/buffer-overrun-in-cgi-escape_html-cve-2021-41816/ http://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/ The issues are fixed upstream in 2.7.5: http://www.ruby-lang.org/en/news/2021/11/24/ruby-2-7-5-released/
Summary: ruby new security issues CVE-2020-36327, CVE-2021-28965, CVE-2021-31799, CVE-2021-31810, CVE-2021-32066 => ruby new security issues CVE-2020-36327, CVE-2021-28965, CVE-2021-31799, CVE-2021-31810, CVE-2021-32066, CVE-2021-4181[679]Status comment: Fixed upstream in 2.7.4 => Fixed upstream in 2.7.5
Update to 2.7.5 built by Pascal. What about CVE-2020-36327? I didn't see that in your commit message. If the bundler_version in the SPEC is correct, I guess that still needs to be updated. ruby-2.7.5-33.1.mga8 ruby-rdoc-6.2.1.1-33.1.mga8 libruby2.7-2.7.5-33.1.mga8 ruby-devel-2.7.5-33.1.mga8 ruby-bundler-2.1.4-33.1.mga8 ruby-RubyGems-3.1.2-33.1.mga8 ruby-openssl-2.1.3-33.1.mga8 ruby-test-unit-3.3.4-33.1.mga8 ruby-rake-13.0.1-33.1.mga8 ruby-irb-2.7.5-33.1.mga8 ruby-psych-3.1.0-33.1.mga8 ruby-bigdecimal-2.0.0-33.1.mga8 ruby-json-2.3.0-33.1.mga8 ruby-xmlrpc-0.3.0-33.1.mga8 ruby-net-telnet-0.2.0-33.1.mga8 ruby-io-console-0.5.6-33.1.mga8 ruby-power_assert-1.1.7-33.1.mga8 ruby-did_you_mean-1.4.0-33.1.mga8 ruby-doc-2.7.5-33.1.mga8 from ruby-2.7.5-33.1.mga8.src.rpm
Thank you, I had indeed missed CVE-2020-36327 had not been fixed, I'll look into it
For CVE-2020-36327 RH updated the bundled version to 2.2.24 (from 2.1.4) on RHEL as backporting the fix was too complicated and risked adding bugs. Debian didn't fix it for that reason. Given that RH was also using 2.7.4 and issued the update in July and didn't have to fix it since I guess we can assume 2.2.24 works well enough with Ruby 2.7 and do the same, I'll update the package.
Pascal updated bundler to 2.2.24. Package list is now: ruby-2.7.5-33.2.mga8 libruby2.7-debuginfo-2.7.5-33.2.mga8 ruby-debuginfo-2.7.5-33.2.mga8 libruby2.7-2.7.5-33.2.mga8 ruby-rdoc-6.2.1.1-33.2.mga8 ruby-devel-2.7.5-33.2.mga8 ruby-bundler-2.2.24-33.2.mga8 ruby-RubyGems-3.1.2-33.2.mga8 ruby-openssl-debuginfo-2.1.3-33.2.mga8 ruby-test-unit-3.3.4-33.2.mga8 ruby-openssl-2.1.3-33.2.mga8 ruby-rake-13.0.1-33.2.mga8 ruby-bigdecimal-debuginfo-2.0.0-33.2.mga8 ruby-doc-2.7.5-33.2.mga8 ruby-json-debuginfo-2.3.0-33.2.mga8 ruby-psych-3.1.0-33.2.mga8 ruby-irb-2.7.5-33.2.mga8 ruby-bigdecimal-2.0.0-33.2.mga8 ruby-json-2.3.0-33.2.mga8 ruby-psych-debuginfo-3.1.0-33.2.mga8 ruby-xmlrpc-0.3.0-33.2.mga8 ruby-io-console-debuginfo-0.5.6-33.2.mga8 ruby-io-console-0.5.6-33.2.mga8 ruby-net-telnet-0.2.0-33.2.mga8 ruby-power_assert-1.1.7-33.2.mga8 ruby-did_you_mean-1.4.0-33.2.mga8 from ruby-2.7.5-33.2.mga8.src.rpm
Cauldron hasn't been updated or fixed yet.
as pascal just told on IRC. He is working on updating cauldron to 3.0 but it needs to wait for 3.1.0. can we clone this bugreport for mga9 and close this one when validated? This will avoid keeping a stable release with CVE for a long time.
CC: (none) => mageia
Sure.
Blocks: (none) => 29783
as pascal is working on updating ruby on mga9 ( bug 29783 ) , we can work on this one only for magia 8
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8Assignee: pterjan => qa-bugsCC: (none) => pterjanStatus comment: Fixed upstream in 2.7.5 => (none)Blocks: 29783 => (none)
mga8, x86_64 Not competent to investigate the issues listed so going for a straight install. Removed debuginfo packages and updated the rest without problems. Some simple tests later.
CC: (none) => tarazed25
$ ruby --version ruby 2.7.5p203 (2021-11-24 revision f69aeb8314) [x86_64-linux] Some simple exercises in irb: $ irb irb(main):001:0> target = "/home\0/lcl/ruby" => "/home\u0000/lcl/ruby" irb(main):002:0> files = Dir.entries( target ) Traceback (most recent call last): 6: from /usr/bin/irb:23:in `<main>' .... ArgumentError (path name contains null byte) .... irb(main):006:0> Dir.entries( "." ) => [".", "..", "rpcbomb.rb", "animate.rb", "#report.22844#", "circular.rb", "cve14033.rb", "example_1.rb", "report.19078", "test", "minitide.gif", "fiddle", "webrick.rb", "malicious.gem", "eventide.jpg", "annotate.rb", "huge-summary-0.0.1.g........ $ irb irb(main):002:0> sum = (1..10).inject( &:+ ) => 55 irb(main):003:0> exit $ ruby -e "puts (1..10).inject( &:+ )" 55 $ gem list *** LOCAL GEMS *** astro_moon (0.2) benchmark (default: 0.1.0) bigdecimal (2.0.0) bundler (2.2.24) cgi (default: 0.1.0.1) ..... timers (4.3.3) tk (0.2.0) tracer (default: 0.1.0) uri (default: 0.10.0) wahwah (1.1.1) webrick (default: 1.6.1) xmlrpc (0.3.0) yaml (default: 0.1.0) Some of the gems were bundled with ruby. $ sudo gem install nokogiri Fetching racc-1.6.0.gem Building native extensions. This could take a while... Successfully installed racc-1.6.0 Fetching nokogiri-1.12.5-x86_64-linux.gem Successfully installed nokogiri-1.12.5-x86_64-linux Parsing documentation for racc-1.6.0 Installing ri documentation for racc-1.6.0 Parsing documentation for nokogiri-1.12.5-x86_64-linux Installing ri documentation for nokogiri-1.12.5-x86_64-linux Done installing documentation for racc, nokogiri after 1 seconds 2 gems installed $ gem owner nokogiri Owners for gem: nokogiri - tenderlove - flavorjones Ran home-made jukebox which uses gems like mplayer-ruby for sound and video, runs a thread for a countdown and uses a pipe to control mplayer. No problems there or with any other local ruby scripts. `urpmq --whatrequires lib64ruby2.7` returns 67 names. $ cat rubyusers | grep -v ruby- epic5 ice-ruby kross-interpreters-ruby lib64ruby2.7 libselinux-ruby perl-ClearSilver ruby vim-enhanced vim-X11 weechat-ruby A recursive search returns 651 packages many of which are likely to be bundled gems. Installed epic5 and ran it from the command line without any investigation. $ epic5 EPIC Version 5 -- Lugubrious EPIC Software Labs (2006) Version (EPIC5-2.1.2), Commit Id (1908) -- Date (20200511) Compiled by iurt@ec2x1.mageia.org on Wed Jun 17 2020 at 17:11:23 UTC Process [1928441] connected to tty [/dev/pts/5] Using terminal type [xterm-256color] *** I can't find your mailbox. Added a new CTCP named VERSION Added a new CTCP named PING Added a new CTCP named ECHO [...] Added a new CTCP named FINGER Added a new CTCP named TIME Added a new CTCP named UTC *** Performing DNS lookup for [irc.efnet.net] (server 0) *** DNS lookup for server 0 [irc.efnet.net] returned (18) addresses *** Connecting to server refnum 0 (irc.efnet.net), using address 1 +(193.163.220.3:6667) <pause> *** INFO -- Could not connect to server [0] address [1] because of error: +Connection timed out *** This server doesn't have any addresses to connect to. 05:19pm [1] <not registered yet> EPIC5 -- Visit http://help.epicsol.org/ for h > Leaving that. Installed puppet, again without investigation but could not get the service to start, for lack of knowledge. /etc/puppetlabs contains configuration files but I am not getting into all that. A trace on epic5 did show something: $ grep ruby epic5.trace openat(AT_FDCWD, "/lib64/libruby.so.2.7", O_RDONLY|O_CLOEXEC) = 3 getcwd("/home/lcl/qa/ruby", 4096) = 18 This shall have to do. Generally OK.
Whiteboard: (none) => MGA8TOO MGA8-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0579.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED