Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 801061 (CVE-2021-31810, CVE-2021-32066)

Summary: <dev-lang/ruby-{2.6.8,2.7.4,3.0.2}: multiple vulnerabilities (CVE-2021-{31810,32066})
Product: Gentoo Security Reporter: Hans de Graaff <graaff>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: ruby
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa?]
Package list:
dev-lang/ruby-2.6.8
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 807352    

Description Hans de Graaff gentoo-dev 2021-07-07 18:01:43 UTC
CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP

A trusting FTP PASV responses vulnerability was discovered in Net::FTP. This vulnerability has been assigned the CVE identifier CVE-2021-31810. We strongly recommend upgrading Ruby.

net-ftp is a default gem in Ruby 3.0.1 but it has a packaging issue, so please upgrade Ruby itself.
Details

A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes Net::FTP extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions).



CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP

A StartTLS stripping vulnerability was discovered in Net::FTP. This vulnerability has been assigned the CVE identifier CVE-2021-32066. We strongly recommend upgrading Ruby.

net-imap is a default gem in Ruby 3.0.1 but it has a packaging issue, so please upgrade Ruby itself.
Details

Net::IMAP does not raise an exception when StartTLS fails with an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.”

Affected Versions

    Ruby 2.6 series: 2.6.7 and earlier
    Ruby 2.7 series: 2.7.3 and earlier
    Ruby 3.0 series: 3.0.1 and earlier
Comment 1 Larry the Git Cow gentoo-dev 2021-07-07 19:15:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5a8288a89c3070b2a97a480cd6674eaf6b34c1df

commit 5a8288a89c3070b2a97a480cd6674eaf6b34c1df
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2021-07-07 19:15:07 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2021-07-07 19:15:15 +0000

    dev-lang/ruby: add 2.6.8, 2.7.4, 3.0.2
    
    Bug: https://bugs.gentoo.org/801061
    Package-Manager: Portage-3.0.20, Repoman-3.0.2
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-lang/ruby/Manifest          |   3 +
 dev-lang/ruby/ruby-2.6.8.ebuild | 258 +++++++++++++++++++++++++++++++++++++++
 dev-lang/ruby/ruby-2.7.4.ebuild | 264 ++++++++++++++++++++++++++++++++++++++++
 dev-lang/ruby/ruby-3.0.2.ebuild | 263 +++++++++++++++++++++++++++++++++++++++
 4 files changed, 788 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-10 15:40:55 UTC
ppc64 done
Comment 3 Rolf Eike Beer archtester 2021-07-10 17:23:44 UTC
sparc done
Comment 4 Agostino Sarubbo gentoo-dev 2021-07-11 08:58:58 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2021-07-11 09:00:54 UTC
ppc stable
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-11 20:51:56 UTC
x86 done
Comment 7 Rolf Eike Beer archtester 2021-07-15 20:29:50 UTC
hppa done
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-17 03:58:36 UTC
arm done
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-22 06:06:57 UTC
arm64 done

all arches done
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-22 06:08:02 UTC
Please cleanup, thanks!
Comment 11 Larry the Git Cow gentoo-dev 2021-07-24 09:24:21 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=529c2120ae06c7cdb82a1c68abd2cb3ac1ca315c

commit 529c2120ae06c7cdb82a1c68abd2cb3ac1ca315c
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2021-07-24 09:24:10 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2021-07-24 09:24:10 +0000

    dev-lang/ruby: clean up vulnerable versions
    
    Bug: https://bugs.gentoo.org/801061
    Package-Manager: Portage-3.0.20, Repoman-3.0.2
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-lang/ruby/Manifest             |   3 -
 dev-lang/ruby/ruby-2.6.7-r2.ebuild | 258 -----------------------------------
 dev-lang/ruby/ruby-2.7.3-r3.ebuild | 263 ------------------------------------
 dev-lang/ruby/ruby-2.7.3-r4.ebuild | 267 -------------------------------------
 dev-lang/ruby/ruby-2.7.3-r5.ebuild | 266 ------------------------------------
 dev-lang/ruby/ruby-3.0.1-r1.ebuild | 264 ------------------------------------
 dev-lang/ruby/ruby-3.0.1-r2.ebuild | 263 ------------------------------------
 7 files changed, 1584 deletions(-)
Comment 12 NATTkA bot gentoo-dev 2021-12-05 07:36:49 UTC
Unable to check for sanity:

> no match for package: dev-lang/ruby-2.6.8