| Summary: | <dev-lang/ruby-{2.6.9, 2.7.5, 3.0.3}: multiple vulnerabilities (CVE-2021-{41816,41817,41819}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Hans de Graaff <graaff> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | ajak, ruby |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://www.ruby-lang.org/en/news/2021/11/24/ruby-3-0-3-released/ | ||
| Whiteboard: | B2 [glsa+] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 827831 | ||
| Bug Blocks: | |||
Fixed versions 2.6.9, 2.7.5, 3.0.3 have been added. Thanks for filing the bug & adding so quickly. Let's stable quickly when you're comfortable. Cleanup done. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=aea6781bb25fe500e38a2cfce23bf166d29cbf48 commit aea6781bb25fe500e38a2cfce23bf166d29cbf48 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-01-24 04:04:06 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-01-24 04:06:47 +0000 [ GLSA 202401-27 ] Ruby: Multiple vulnerabilities Bug: https://bugs.gentoo.org/747007 Bug: https://bugs.gentoo.org/801061 Bug: https://bugs.gentoo.org/827251 Bug: https://bugs.gentoo.org/838073 Bug: https://bugs.gentoo.org/882893 Bug: https://bugs.gentoo.org/903630 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202401-27.xml | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) |
CVE-2021-41816: Buffer Overrun in CGI.escape_html A buffer overrun vulnerability was discovered in CGI.escape_html. This vulnerability has been assigned the CVE identifier CVE-2021-41816. We strongly recommend upgrading Ruby. Details A security vulnerability that causes buffer overflow when you pass a very large string (> 700 MB) to CGI.escape_html on a platform where long type takes 4 bytes, typically, Windows. Please update the cgi gem to version 0.3.1, 0.2,1, and 0.1,1 or later. You can use gem update cgi to update it. If you are using bundler, please add gem "cgi", ">= 0.3.1" to your Gemfile. Alternatively, please update Ruby to 2.7.5 or 3.0.3. This issue has been introduced since Ruby 2.7, so the cgi version bundled with Ruby 2.6 is not vulnerable. Affected versions cgi gem 0.1.0 or prior (which are bundled versions with Ruby 2.7 series prior to Ruby 2.7.5) cgi gem 0.2.0 or prior (which are bundled versions with Ruby 3.0 series prior to Ruby 3.0.3) cgi gem 0.3.0 or prior CVE-2021-41817: Regular Expression Denial of Service Vulnerability of Date Parsing Methods We have released date gem version 3.2.1, 3.1.2, 3.0.2, and 2.0.1 that include a security fix for a regular expression denial of service vulnerability (ReDoS) on date parsing methods. An attacker can exploit this vulnerability to cause an effective DoS attack. This vulnerability has been assigned the CVE identifier CVE-2021-41817. Details Date’s parsing methods including Date.parse are using Regexps internally, some of which are vulnerable against regular expression denial of service. Applications and libraries that apply such methods to untrusted input may be affected. The fix limits the input length up to 128 bytes by default instead of changing the regexps. This is because Date gem uses many Regexps and it is possible that there are still undiscovered vulnerable Regexps. For compatibility, it is allowed to remove the limitation by explicitly passing limit keywords as nil like Date.parse(str, limit: nil), but note that it may take a long time to parse. Please update the date gem to version 3.2.1, 3.1.2, 3.0.2, and 2.0.1, or later. You can use gem update date to update it. If you are using bundler, please add gem "date", ">= 3.2.1" to your Gemfile. Alternatively, you can update Ruby to 3.0.3, 2.7.5, 2.6.9 or later. Affected versions date gem 2.0.0 or prior (which are bundled versions with Ruby 2.6 series prior to Ruby 2.6.9) date gem 3.0.1 or prior (which are bundled versions with Ruby 2.7 series prior to Ruby 2.7.5) date gem 3.1.1 or prior (which are bundled versions with Ruby 3.0 series prior to Ruby 3.0.3) date gem 3.2.0 or prior CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse A cookie prefix spoofing vulnerability was discovered in CGI::Cookie.parse. This vulnerability has been assigned the CVE identifier CVE-2021-41819. We strongly recommend upgrading Ruby. Details The old versions of CGI::Cookie.parse applied URL decoding to cookie names. An attacker could exploit this vulnerability to spoof security prefixes in cookie names, which may be able to trick a vulnerable application. By this fix, CGI::Cookie.parse no longer decodes cookie names. Note that this is an incompatibility if cookie names that you are using include non-alphanumeric characters that are URL-encoded. This is the same issue of CVE-2020-8184. If you are using Ruby 2.7 or 3.0: Please update the cgi gem to version 0.3.1, 0.2,1, and 0.1,1 or later. You can use gem update cgi to update it. If you are using bundler, please add gem "cgi", ">= 0.3.1" to your Gemfile. Alternatively, please update Ruby to 2.7.5 or 3.0.3. If you are using Ruby 2.6: Please update Ruby to 2.6.9. You cannot use gem update cgi for Ruby 2.6 or prior.