OESA-2024-1938
- Source
- https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1938
- Import Source
- https://repo.openeuler.org/security/data/osv/OESA-2024-1938.json
- JSON Data
- https://api.osv.dev/v1/vulns/OESA-2024-1938
- Upstream
- Published
- 2024-08-02T11:08:43Z
- Modified
- 2025-09-03T06:20:18.950898Z
- Summary
- ruby security update
- Details
-
Ruby is a fast and easy interpreted scripting language for object-oriented programming. It has many functions for processing text Files and perform system management tasks (such as Perl).
Security Fix(es):
Rubygems.org is the Ruby community's gem hosting service. A Gem publisher can cause a Remote DoS when publishing a Gem. This is due to how Ruby reads the Manifest of Gem files when using Gem::Specification.fromyaml. fromyaml makes use of SafeYAML.load which allows YAML aliases inside the YAML-based metadata of a gem. YAML aliases allow for Denial of Service attacks with so-called
YAML-bombs(comparable to Billion laughs attacks). This was patched. There is is no action required by users. This issue is also tracked as GHSL-2024-001 and was discovered by the GitHub security lab.(CVE-2024-35221) - Database specific
{ "severity": "Medium" }- References
Affected packages
openEuler:24.03-LTS / ruby
Package
- Name
- ruby
- Purl
- pkg:rpm/openEuler/ruby&distro=openEuler-24.03-LTS
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.2.2-142.oe2403
Ecosystem specific
{
"src": [
"ruby-3.2.2-142.oe2403.src.rpm"
],
"aarch64": [
"rubygem-bigdecimal-3.1.3-142.oe2403.aarch64.rpm",
"rubygem-json-2.6.3-142.oe2403.aarch64.rpm",
"ruby-3.2.2-142.oe2403.aarch64.rpm",
"ruby-debugsource-3.2.2-142.oe2403.aarch64.rpm",
"rubygem-io-console-0.6.0-142.oe2403.aarch64.rpm",
"ruby-devel-3.2.2-142.oe2403.aarch64.rpm",
"ruby-bundled-gems-3.2.2-142.oe2403.aarch64.rpm",
"rubygem-psych-5.0.1-142.oe2403.aarch64.rpm",
"ruby-debuginfo-3.2.2-142.oe2403.aarch64.rpm",
"rubygem-openssl-3.1.0-142.oe2403.aarch64.rpm",
"rubygem-rbs-2.8.2-142.oe2403.aarch64.rpm"
],
"x86_64": [
"rubygem-rbs-2.8.2-142.oe2403.x86_64.rpm",
"rubygem-json-2.6.3-142.oe2403.x86_64.rpm",
"ruby-3.2.2-142.oe2403.x86_64.rpm",
"rubygem-openssl-3.1.0-142.oe2403.x86_64.rpm",
"ruby-debuginfo-3.2.2-142.oe2403.x86_64.rpm",
"ruby-bundled-gems-3.2.2-142.oe2403.x86_64.rpm",
"rubygem-io-console-0.6.0-142.oe2403.x86_64.rpm",
"ruby-debugsource-3.2.2-142.oe2403.x86_64.rpm",
"ruby-devel-3.2.2-142.oe2403.x86_64.rpm",
"rubygem-psych-5.0.1-142.oe2403.x86_64.rpm",
"rubygem-bigdecimal-3.1.3-142.oe2403.x86_64.rpm"
],
"noarch": [
"rubygem-did_you_mean-1.6.3-142.oe2403.noarch.rpm",
"rubygem-rexml-3.2.5-142.oe2403.noarch.rpm",
"rubygem-test-unit-3.5.7-142.oe2403.noarch.rpm",
"ruby-irb-3.2.2-142.oe2403.noarch.rpm",
"rubygem-minitest-5.16.3-142.oe2403.noarch.rpm",
"rubygems-3.4.10-142.oe2403.noarch.rpm",
"rubygems-devel-3.4.10-142.oe2403.noarch.rpm",
"rubygem-rake-13.0.6-142.oe2403.noarch.rpm",
"rubygem-rdoc-6.5.0-142.oe2403.noarch.rpm",
"ruby-help-3.2.2-142.oe2403.noarch.rpm",
"rubygem-rss-0.2.9-142.oe2403.noarch.rpm",
"rubygem-typeprof-0.21.3-142.oe2403.noarch.rpm"
]
}