SUSE-SU-2020:1570-1

Source
https://www.suse.com/support/update/announcement/2020/suse-su-20201570-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2020:1570-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2020:1570-1
Related
Published
2020-06-09T09:16:12Z
Modified
2020-06-09T09:16:12Z
Summary
Security update for ruby2.1
Details

This update for ruby2.1 fixes the following issues:

Security issues fixed:

  • CVE-2015-9096: Fixed an SMTP command injection via CRLFsequences in a RCPT TO or MAIL FROM command (bsc#1043983).
  • CVE-2016-7798: Fixed an IV Reuse in GCM Mode (bsc#1055265).
  • CVE-2017-0898: Fixed a buffer underrun vulnerability in Kernel.sprintf (bsc#1058755).
  • CVE-2017-0899: Fixed an issue with malicious gem specifications, insufficient sanitation when printing gem specifications could have included terminal characters (bsc#1056286).
  • CVE-2017-0900: Fixed an issue with malicious gem specifications, the query command could have led to a denial of service attack against clients (bsc#1056286).
  • CVE-2017-0901: Fixed an issue with malicious gem specifications, potentially overwriting arbitrary files on the client system (bsc#1056286).
  • CVE-2017-0902: Fixed an issue with malicious gem specifications, that could have enabled MITM attacks against clients (bsc#1056286).
  • CVE-2017-0903: Fixed an unsafe object deserialization vulnerability (bsc#1062452).
  • CVE-2017-9228: Fixed a heap out-of-bounds write in bitsetsetrange() during regex compilation (bsc#1069607).
  • CVE-2017-9229: Fixed an invalid pointer dereference in leftadjustchar_head() in oniguruma (bsc#1069632).
  • CVE-2017-10784: Fixed an escape sequence injection vulnerability in the Basic authentication of WEBrick (bsc#1058754).
  • CVE-2017-14033: Fixed a buffer underrun vulnerability in OpenSSL ASN1 decode (bsc#1058757).
  • CVE-2017-14064: Fixed an arbitrary memory exposure during a JSON.generate call (bsc#1056782).
  • CVE-2017-17405: Fixed a command injection vulnerability in Net::FTP (bsc#1073002).
  • CVE-2017-17742: Fixed an HTTP response splitting issue in WEBrick (bsc#1087434).
  • CVE-2017-17790: Fixed a command injection in lib/resolv.rb:lazy_initialize() (bsc#1078782).
  • CVE-2018-6914: Fixed an unintentional file and directory creation with directory traversal in tempfile and tmpdir (bsc#1087441).
  • CVE-2018-8777: Fixed a potential DoS caused by large requests in WEBrick (bsc#1087436).
  • CVE-2018-8778: Fixed a buffer under-read in String#unpack (bsc#1087433).
  • CVE-2018-8779: Fixed an unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket (bsc#1087440).
  • CVE-2018-8780: Fixed an unintentional directory traversal by poisoned NUL byte in Dir (bsc#1087437).
  • CVE-2018-16395: Fixed an issue with OpenSSL::X509::Name equality checking (bsc#1112530).
  • CVE-2018-16396: Fixed an issue with tainted string handling, where the flag was not propagated in Array#pack and String#unpack with some directives (bsc#1112532).
  • CVE-2018-1000073: Fixed a path traversal issue (bsc#1082007).
  • CVE-2018-1000074: Fixed an unsafe object deserialization vulnerability in gem owner, allowing arbitrary code execution with specially crafted YAML (bsc#1082008).
  • CVE-2018-1000075: Fixed an infinite loop vulnerability due to negative size in tar header causes Denial of Service (bsc#1082014).
  • CVE-2018-1000076: Fixed an improper verification of signatures in tarballs (bsc#1082009).
  • CVE-2018-1000077: Fixed an improper URL validation in the homepage attribute of ruby gems (bsc#1082010).
  • CVE-2018-1000078: Fixed a XSS vulnerability in the homepage attribute when displayed via gem server (bsc#1082011).
  • CVE-2018-1000079: Fixed a path traversal issue during gem installation allows to write to arbitrary filesystem locations (bsc#1082058).
  • CVE-2019-8320: Fixed a directory traversal issue when decompressing tar files (bsc#1130627).
  • CVE-2019-8321: Fixed an escape sequence injection vulnerability in verbose (bsc#1130623).
  • CVE-2019-8322: Fixed an escape sequence injection vulnerability in gem owner (bsc#1130622).
  • CVE-2019-8323: Fixed an escape sequence injection vulnerability in API response handling (bsc#1130620).
  • CVE-2019-8324: Fixed an issue with malicious gems that may have led to arbitrary code execution (bsc#1130617).
  • CVE-2019-8325: Fixed an escape sequence injection vulnerability in errors (bsc#1130611).
  • CVE-2019-15845: Fixed a NUL injection vulnerability in File.fnmatch and File.fnmatch? (bsc#1152994).
  • CVE-2019-16201: Fixed a regular expression denial of service vulnerability in WEBrick's digest access authentication (bsc#1152995).
  • CVE-2019-16254: Fixed an HTTP response splitting vulnerability in WEBrick (bsc#1152992).
  • CVE-2019-16255: Fixed a code injection vulnerability in Shell#[] and Shell#test (bsc#1152990).
  • CVE-2020-10663: Fixed an unsafe object creation vulnerability in JSON (bsc#1171517).

Non-security issue fixed:

  • Add conflicts to libruby to make sure ruby and ruby-stdlib are also updated when libruby is updated (bsc#1048072).

Also yast2-ruby-bindings on SLES 12 SP2 LTSS was updated to handle the updated ruby interpreter. (bsc#1172275)

References

Affected packages

SUSE:HPE Helion OpenStack 8 / ruby2.1

Package

Name
ruby2.1
Purl
pkg:rpm/suse/ruby2.1&distro=HPE%20Helion%20OpenStack%208

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.9-19.3.2

Ecosystem specific

{
    "binaries": [
        {
            "ruby2.1-stdlib": "2.1.9-19.3.2",
            "ruby2.1": "2.1.9-19.3.2",
            "libruby2_1-2_1": "2.1.9-19.3.2"
        }
    ]
}

SUSE:OpenStack Cloud 7 / ruby2.1

Package

Name
ruby2.1
Purl
pkg:rpm/suse/ruby2.1&distro=SUSE%20OpenStack%20Cloud%207

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.9-19.3.2

Ecosystem specific

{
    "binaries": [
        {
            "yast2-ruby-bindings": "3.1.53-9.8.1",
            "ruby2.1-stdlib": "2.1.9-19.3.2",
            "ruby2.1": "2.1.9-19.3.2",
            "libruby2_1-2_1": "2.1.9-19.3.2"
        }
    ]
}

SUSE:OpenStack Cloud 7 / yast2-ruby-bindings

Package

Name
yast2-ruby-bindings
Purl
pkg:rpm/suse/yast2-ruby-bindings&distro=SUSE%20OpenStack%20Cloud%207

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1.53-9.8.1

Ecosystem specific

{
    "binaries": [
        {
            "yast2-ruby-bindings": "3.1.53-9.8.1",
            "ruby2.1-stdlib": "2.1.9-19.3.2",
            "ruby2.1": "2.1.9-19.3.2",
            "libruby2_1-2_1": "2.1.9-19.3.2"
        }
    ]
}

SUSE:OpenStack Cloud 8 / ruby2.1

Package

Name
ruby2.1
Purl
pkg:rpm/suse/ruby2.1&distro=SUSE%20OpenStack%20Cloud%208

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.9-19.3.2

Ecosystem specific

{
    "binaries": [
        {
            "ruby2.1-stdlib": "2.1.9-19.3.2",
            "ruby2.1": "2.1.9-19.3.2",
            "libruby2_1-2_1": "2.1.9-19.3.2"
        }
    ]
}

SUSE:OpenStack Cloud Crowbar 8 / ruby2.1

Package

Name
ruby2.1
Purl
pkg:rpm/suse/ruby2.1&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.9-19.3.2

Ecosystem specific

{
    "binaries": [
        {
            "ruby2.1-stdlib": "2.1.9-19.3.2",
            "ruby2.1": "2.1.9-19.3.2",
            "libruby2_1-2_1": "2.1.9-19.3.2"
        }
    ]
}

SUSE:Linux Enterprise Server for SAP Applications 12 SP2 / ruby2.1

Package

Name
ruby2.1
Purl
pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.9-19.3.2

Ecosystem specific

{
    "binaries": [
        {
            "yast2-ruby-bindings": "3.1.53-9.8.1",
            "ruby2.1-stdlib": "2.1.9-19.3.2",
            "ruby2.1": "2.1.9-19.3.2",
            "libruby2_1-2_1": "2.1.9-19.3.2"
        }
    ]
}

SUSE:Linux Enterprise Server for SAP Applications 12 SP2 / yast2-ruby-bindings

Package

Name
yast2-ruby-bindings
Purl
pkg:rpm/suse/yast2-ruby-bindings&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1.53-9.8.1

Ecosystem specific

{
    "binaries": [
        {
            "yast2-ruby-bindings": "3.1.53-9.8.1",
            "ruby2.1-stdlib": "2.1.9-19.3.2",
            "ruby2.1": "2.1.9-19.3.2",
            "libruby2_1-2_1": "2.1.9-19.3.2"
        }
    ]
}

SUSE:Linux Enterprise Server for SAP Applications 12 SP3 / ruby2.1

Package

Name
ruby2.1
Purl
pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.9-19.3.2

Ecosystem specific

{
    "binaries": [
        {
            "ruby2.1-stdlib": "2.1.9-19.3.2",
            "ruby2.1": "2.1.9-19.3.2",
            "libruby2_1-2_1": "2.1.9-19.3.2"
        }
    ]
}

SUSE:Linux Enterprise Software Development Kit 12 SP4 / ruby2.1

Package

Name
ruby2.1
Purl
pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.9-19.3.2

Ecosystem specific

{
    "binaries": [
        {
            "ruby2.1-devel": "2.1.9-19.3.2"
        }
    ]
}

SUSE:Linux Enterprise Software Development Kit 12 SP5 / ruby2.1

Package

Name
ruby2.1
Purl
pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.9-19.3.2

Ecosystem specific

{
    "binaries": [
        {
            "ruby2.1-devel": "2.1.9-19.3.2"
        }
    ]
}

SUSE:Linux Enterprise Server 12 SP2-LTSS / ruby2.1

Package

Name
ruby2.1
Purl
pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.9-19.3.2

Ecosystem specific

{
    "binaries": [
        {
            "yast2-ruby-bindings": "3.1.53-9.8.1",
            "ruby2.1-stdlib": "2.1.9-19.3.2",
            "ruby2.1": "2.1.9-19.3.2",
            "libruby2_1-2_1": "2.1.9-19.3.2"
        }
    ]
}

SUSE:Linux Enterprise Server 12 SP2-LTSS / yast2-ruby-bindings

Package

Name
yast2-ruby-bindings
Purl
pkg:rpm/suse/yast2-ruby-bindings&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1.53-9.8.1

Ecosystem specific

{
    "binaries": [
        {
            "yast2-ruby-bindings": "3.1.53-9.8.1",
            "ruby2.1-stdlib": "2.1.9-19.3.2",
            "ruby2.1": "2.1.9-19.3.2",
            "libruby2_1-2_1": "2.1.9-19.3.2"
        }
    ]
}

SUSE:Linux Enterprise Server 12 SP2-BCL / ruby2.1

Package

Name
ruby2.1
Purl
pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCL

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.9-19.3.2

Ecosystem specific

{
    "binaries": [
        {
            "yast2-ruby-bindings": "3.1.53-9.8.1",
            "ruby2.1-stdlib": "2.1.9-19.3.2",
            "ruby2.1": "2.1.9-19.3.2",
            "libruby2_1-2_1": "2.1.9-19.3.2"
        }
    ]
}

SUSE:Linux Enterprise Server 12 SP2-BCL / yast2-ruby-bindings

Package

Name
yast2-ruby-bindings
Purl
pkg:rpm/suse/yast2-ruby-bindings&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCL

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1.53-9.8.1

Ecosystem specific

{
    "binaries": [
        {
            "yast2-ruby-bindings": "3.1.53-9.8.1",
            "ruby2.1-stdlib": "2.1.9-19.3.2",
            "ruby2.1": "2.1.9-19.3.2",
            "libruby2_1-2_1": "2.1.9-19.3.2"
        }
    ]
}

SUSE:Linux Enterprise Server 12 SP3-LTSS / ruby2.1

Package

Name
ruby2.1
Purl
pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.9-19.3.2

Ecosystem specific

{
    "binaries": [
        {
            "ruby2.1-stdlib": "2.1.9-19.3.2",
            "ruby2.1": "2.1.9-19.3.2",
            "libruby2_1-2_1": "2.1.9-19.3.2"
        }
    ]
}

SUSE:Linux Enterprise Server 12 SP3-BCL / ruby2.1

Package

Name
ruby2.1
Purl
pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCL

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.9-19.3.2

Ecosystem specific

{
    "binaries": [
        {
            "ruby2.1-stdlib": "2.1.9-19.3.2",
            "ruby2.1": "2.1.9-19.3.2",
            "libruby2_1-2_1": "2.1.9-19.3.2"
        }
    ]
}

SUSE:Linux Enterprise Server 12 SP4 / ruby2.1

Package

Name
ruby2.1
Purl
pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.9-19.3.2

Ecosystem specific

{
    "binaries": [
        {
            "ruby2.1-stdlib": "2.1.9-19.3.2",
            "ruby2.1": "2.1.9-19.3.2",
            "libruby2_1-2_1": "2.1.9-19.3.2"
        }
    ]
}

SUSE:Linux Enterprise Server for SAP Applications 12 SP4 / ruby2.1

Package

Name
ruby2.1
Purl
pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.9-19.3.2

Ecosystem specific

{
    "binaries": [
        {
            "ruby2.1-stdlib": "2.1.9-19.3.2",
            "ruby2.1": "2.1.9-19.3.2",
            "libruby2_1-2_1": "2.1.9-19.3.2"
        }
    ]
}

SUSE:Linux Enterprise Server 12 SP5 / ruby2.1

Package

Name
ruby2.1
Purl
pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.9-19.3.2

Ecosystem specific

{
    "binaries": [
        {
            "ruby2.1-stdlib": "2.1.9-19.3.2",
            "ruby2.1": "2.1.9-19.3.2",
            "libruby2_1-2_1": "2.1.9-19.3.2"
        }
    ]
}

SUSE:Linux Enterprise Server for SAP Applications 12 SP5 / ruby2.1

Package

Name
ruby2.1
Purl
pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.9-19.3.2

Ecosystem specific

{
    "binaries": [
        {
            "ruby2.1-stdlib": "2.1.9-19.3.2",
            "ruby2.1": "2.1.9-19.3.2",
            "libruby2_1-2_1": "2.1.9-19.3.2"
        }
    ]
}

SUSE:Enterprise Storage 5 / ruby2.1

Package

Name
ruby2.1
Purl
pkg:rpm/suse/ruby2.1&distro=SUSE%20Enterprise%20Storage%205

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.9-19.3.2

Ecosystem specific

{
    "binaries": [
        {
            "ruby2.1-stdlib": "2.1.9-19.3.2",
            "ruby2.1": "2.1.9-19.3.2",
            "libruby2_1-2_1": "2.1.9-19.3.2"
        }
    ]
}