[SECURITY] [DLA 2780-1] ruby2.3 security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2780-1] ruby2.3 security update
From: Utkarsh Gupta <utkarsh@debian.org>
Date: Wed, 13 Oct 2021 19:42:23 +0530
Message-id: <[🔎] CAPP0f951PaTUbYSMnNOvv8T_FkVZUT0FUcaZCzLnarxpZyyvRQ@mail.gmail.com>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- ----------------------------------------------------------------------
Debian LTS Advisory DLA-2780-1             debian-lts@lists.debian.org
https://www.debian.org/lts/security/                     Utkarsh Gupta
October 11, 2021                           https://wiki.debian.org/LTS
- ----------------------------------------------------------------------

Package        : ruby2.3
Version        : 2.3.3-1+deb9u10
CVE ID         : CVE-2021-31799 CVE-2021-31810 CVE-2021-32066
Debian Bug     : 990815

Multiple vulnerabilites in ruby2.3, interpreter of object-oriented
scripting language Ruby, were discovered.

CVE-2021-31799

    In RDoc 3.11 through 6.x before 6.3.1, as distributed with
    Ruby through 2.3.3, it is possible to execute arbitrary
    code via | and tags in a filename.

CVE-2021-31810

    An issue was discovered in Ruby through 2.3.3. A malicious
    FTP server can use the PASV response to trick Net::FTP into
    connecting back to a given IP address and port. This
    potentially makes curl extract information about services
    that are otherwise private and not disclosed (e.g., the
    attacker can conduct port scans and service banner extractions).

CVE-2021-32066

    An issue was discovered in Ruby through 2.3.3. Net::IMAP does
    not raise an exception when StartTLS fails with an an unknown
    response, which might allow man-in-the-middle attackers to
    bypass the TLS protections by leveraging a network position
    between the client and the registry to block the StartTLS
    command, aka a "StartTLS stripping attack."

For Debian 9 stretch, these problems have been fixed in version
2.3.3-1+deb9u10.

We recommend that you upgrade your ruby2.3 packages.

For the detailed security status of ruby2.3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby2.3

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmFkOmYACgkQgj6WdgbD
S5aQ2xAA6ZrRmAr8XM1SzNg4KPLjirtmrjfrmQhklxXEwdRMHfNlzyOQ5knsMTOd
QDiyEEUkPI3qqPI4MLv/O5hTOQaPHGED1Xab/6ZkC+YyCyQm3qrBaIycS36SKKlV
Sqkq1GHLIm1W6cEPeBXzuFFmQhmx10E7FDG1xbBTYqQvAjShMbU3w1KY9/lg1Muh
drM6tSLq/TI1byEkMiON6U4geXfKNpl9r8yv2/VrfKqbIOjbsOqGSz0zMiNqQdFt
t0wA5Hy//ycnXD1Sr1egRRMSVkH9kW4HA0g5STvdt/BvdW0FCaWMMOxfXL38QRET
6PeuJQlFQK1tFK/DF7sCLw1k8kyI3XbUb4CeoZVTy0Lbjwhe9lCOFkrzEBi9ojnv
EUf1h4t2touOclcWlFDWLT3/gsDO8PVqE434ch4iSjWTAxGHqosydyANJMYgVuRm
L3uxabSgYrJkJgVnGLzfyQSaPcaqlQxr+0aJA1SfANl1OscW+cicrbAMlbIQQNw8
9nVJJGnWyucL+oX3LL0gQN1kUrEyfU6bfJebxBP1yLueWuhZtMiK6mzLdHQEI42a
Z9cIdTMvcrNR9lywxtnya6X7ybLI3FEMUxEl0GKXgtMbCUBppysdy+X3dhFsm6I/
W8jaqrZHciAF9abGes1ZCQN1AlBJ9nDUO2cCoLS1rlPUeMvmNz0=
=mE+a
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2784-1] icu security update
Next by Date: [SECURITY] [DLA 2785-1] linux-4.19 security update
Previous by thread: [SECURITY] [DLA 2784-1] icu security update
Next by thread: [SECURITY] [DLA 2785-1] linux-4.19 security update
Index(es):
- Date
- Thread