CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP A trusting FTP PASV responses vulnerability was discovered in Net::FTP. This vulnerability has been assigned the CVE identifier CVE-2021-31810. We strongly recommend upgrading Ruby. net-ftp is a default gem in Ruby 3.0.1 but it has a packaging issue, so please upgrade Ruby itself. Details A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes Net::FTP extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions). CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP A StartTLS stripping vulnerability was discovered in Net::FTP. This vulnerability has been assigned the CVE identifier CVE-2021-32066. We strongly recommend upgrading Ruby. net-imap is a default gem in Ruby 3.0.1 but it has a packaging issue, so please upgrade Ruby itself. Details Net::IMAP does not raise an exception when StartTLS fails with an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.” Affected Versions Ruby 2.6 series: 2.6.7 and earlier Ruby 2.7 series: 2.7.3 and earlier Ruby 3.0 series: 3.0.1 and earlier
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5a8288a89c3070b2a97a480cd6674eaf6b34c1df commit 5a8288a89c3070b2a97a480cd6674eaf6b34c1df Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2021-07-07 19:15:07 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2021-07-07 19:15:15 +0000 dev-lang/ruby: add 2.6.8, 2.7.4, 3.0.2 Bug: https://bugs.gentoo.org/801061 Package-Manager: Portage-3.0.20, Repoman-3.0.2 Signed-off-by: Hans de Graaff <graaff@gentoo.org> dev-lang/ruby/Manifest | 3 + dev-lang/ruby/ruby-2.6.8.ebuild | 258 +++++++++++++++++++++++++++++++++++++++ dev-lang/ruby/ruby-2.7.4.ebuild | 264 ++++++++++++++++++++++++++++++++++++++++ dev-lang/ruby/ruby-3.0.2.ebuild | 263 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 788 insertions(+)
ppc64 done
sparc done
amd64 stable
ppc stable
x86 done
hppa done
arm done
arm64 done all arches done
Please cleanup, thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=529c2120ae06c7cdb82a1c68abd2cb3ac1ca315c commit 529c2120ae06c7cdb82a1c68abd2cb3ac1ca315c Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2021-07-24 09:24:10 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2021-07-24 09:24:10 +0000 dev-lang/ruby: clean up vulnerable versions Bug: https://bugs.gentoo.org/801061 Package-Manager: Portage-3.0.20, Repoman-3.0.2 Signed-off-by: Hans de Graaff <graaff@gentoo.org> dev-lang/ruby/Manifest | 3 - dev-lang/ruby/ruby-2.6.7-r2.ebuild | 258 ----------------------------------- dev-lang/ruby/ruby-2.7.3-r3.ebuild | 263 ------------------------------------ dev-lang/ruby/ruby-2.7.3-r4.ebuild | 267 ------------------------------------- dev-lang/ruby/ruby-2.7.3-r5.ebuild | 266 ------------------------------------ dev-lang/ruby/ruby-3.0.1-r1.ebuild | 264 ------------------------------------ dev-lang/ruby/ruby-3.0.1-r2.ebuild | 263 ------------------------------------ 7 files changed, 1584 deletions(-)
Unable to check for sanity: > no match for package: dev-lang/ruby-2.6.8
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=aea6781bb25fe500e38a2cfce23bf166d29cbf48 commit aea6781bb25fe500e38a2cfce23bf166d29cbf48 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-01-24 04:04:06 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-01-24 04:06:47 +0000 [ GLSA 202401-27 ] Ruby: Multiple vulnerabilities Bug: https://bugs.gentoo.org/747007 Bug: https://bugs.gentoo.org/801061 Bug: https://bugs.gentoo.org/827251 Bug: https://bugs.gentoo.org/838073 Bug: https://bugs.gentoo.org/882893 Bug: https://bugs.gentoo.org/903630 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202401-27.xml | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+)
