Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 801061 (CVE-2021-31810, CVE-2021-32066) - <dev-lang/ruby-{2.6.8,2.7.4,3.0.2}: multiple vulnerabilities (CVE-2021-{31810,32066})
Summary: <dev-lang/ruby-{2.6.8,2.7.4,3.0.2}: multiple vulnerabilities (CVE-2021-{31810...
Status: IN_PROGRESS
Alias: CVE-2021-31810, CVE-2021-32066
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa?]
Keywords:
Depends on:
Blocks: 807352
  Show dependency tree
 
Reported: 2021-07-07 18:01 UTC by Hans de Graaff
Modified: 2021-12-05 07:36 UTC (History)
1 user (show)

See Also:
Package list:
dev-lang/ruby-2.6.8
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev 2021-07-07 18:01:43 UTC
CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP

A trusting FTP PASV responses vulnerability was discovered in Net::FTP. This vulnerability has been assigned the CVE identifier CVE-2021-31810. We strongly recommend upgrading Ruby.

net-ftp is a default gem in Ruby 3.0.1 but it has a packaging issue, so please upgrade Ruby itself.
Details

A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes Net::FTP extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions).



CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP

A StartTLS stripping vulnerability was discovered in Net::FTP. This vulnerability has been assigned the CVE identifier CVE-2021-32066. We strongly recommend upgrading Ruby.

net-imap is a default gem in Ruby 3.0.1 but it has a packaging issue, so please upgrade Ruby itself.
Details

Net::IMAP does not raise an exception when StartTLS fails with an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.”

Affected Versions

    Ruby 2.6 series: 2.6.7 and earlier
    Ruby 2.7 series: 2.7.3 and earlier
    Ruby 3.0 series: 3.0.1 and earlier
Comment 1 Larry the Git Cow gentoo-dev 2021-07-07 19:15:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5a8288a89c3070b2a97a480cd6674eaf6b34c1df

commit 5a8288a89c3070b2a97a480cd6674eaf6b34c1df
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2021-07-07 19:15:07 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2021-07-07 19:15:15 +0000

    dev-lang/ruby: add 2.6.8, 2.7.4, 3.0.2
    
    Bug: https://bugs.gentoo.org/801061
    Package-Manager: Portage-3.0.20, Repoman-3.0.2
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-lang/ruby/Manifest          |   3 +
 dev-lang/ruby/ruby-2.6.8.ebuild | 258 +++++++++++++++++++++++++++++++++++++++
 dev-lang/ruby/ruby-2.7.4.ebuild | 264 ++++++++++++++++++++++++++++++++++++++++
 dev-lang/ruby/ruby-3.0.2.ebuild | 263 +++++++++++++++++++++++++++++++++++++++
 4 files changed, 788 insertions(+)
Comment 2 Sam James archtester gentoo-dev Security 2021-07-10 15:40:55 UTC
ppc64 done
Comment 3 Rolf Eike Beer archtester 2021-07-10 17:23:44 UTC
sparc done
Comment 4 Agostino Sarubbo gentoo-dev 2021-07-11 08:58:58 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2021-07-11 09:00:54 UTC
ppc stable
Comment 6 Sam James archtester gentoo-dev Security 2021-07-11 20:51:56 UTC
x86 done
Comment 7 Rolf Eike Beer archtester 2021-07-15 20:29:50 UTC
hppa done
Comment 8 Sam James archtester gentoo-dev Security 2021-07-17 03:58:36 UTC
arm done
Comment 9 Sam James archtester gentoo-dev Security 2021-07-22 06:06:57 UTC
arm64 done

all arches done
Comment 10 Sam James archtester gentoo-dev Security 2021-07-22 06:08:02 UTC
Please cleanup, thanks!
Comment 11 Larry the Git Cow gentoo-dev 2021-07-24 09:24:21 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=529c2120ae06c7cdb82a1c68abd2cb3ac1ca315c

commit 529c2120ae06c7cdb82a1c68abd2cb3ac1ca315c
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2021-07-24 09:24:10 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2021-07-24 09:24:10 +0000

    dev-lang/ruby: clean up vulnerable versions
    
    Bug: https://bugs.gentoo.org/801061
    Package-Manager: Portage-3.0.20, Repoman-3.0.2
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-lang/ruby/Manifest             |   3 -
 dev-lang/ruby/ruby-2.6.7-r2.ebuild | 258 -----------------------------------
 dev-lang/ruby/ruby-2.7.3-r3.ebuild | 263 ------------------------------------
 dev-lang/ruby/ruby-2.7.3-r4.ebuild | 267 -------------------------------------
 dev-lang/ruby/ruby-2.7.3-r5.ebuild | 266 ------------------------------------
 dev-lang/ruby/ruby-3.0.1-r1.ebuild | 264 ------------------------------------
 dev-lang/ruby/ruby-3.0.1-r2.ebuild | 263 ------------------------------------
 7 files changed, 1584 deletions(-)
Comment 12 NATTkA bot gentoo-dev 2021-12-05 07:36:49 UTC
Unable to check for sanity:

> no match for package: dev-lang/ruby-2.6.8