libruby2_7-2_7-2.7.4-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11622 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libruby2_7-2_7-2.7.4-1.1 on GA media These are all security issues fixed in the libruby2_7-2_7-2.7.4-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11622 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11622 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2021-31799/ SUSE CVE CVE-2021-31799 page https://www.suse.com/security/cve/CVE-2021-31810/ SUSE CVE CVE-2021-31810 page https://www.suse.com/security/cve/CVE-2021-32066/ SUSE CVE CVE-2021-32066 page openSUSE Tumbleweed libruby2_7-2_7-2.7.4-1.1 ruby2.7-2.7.4-1.1 ruby2.7-devel-2.7.4-1.1 ruby2.7-devel-extra-2.7.4-1.1 ruby2.7-doc-2.7.4-1.1 ruby2.7-doc-ri-2.7.4-1.1 libruby2_7-2_7-2.7.4-1.1 as a component of openSUSE Tumbleweed ruby2.7-2.7.4-1.1 as a component of openSUSE Tumbleweed ruby2.7-devel-2.7.4-1.1 as a component of openSUSE Tumbleweed ruby2.7-devel-extra-2.7.4-1.1 as a component of openSUSE Tumbleweed ruby2.7-doc-2.7.4-1.1 as a component of openSUSE Tumbleweed ruby2.7-doc-ri-2.7.4-1.1 as a component of openSUSE Tumbleweed In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename. CVE-2021-31799 openSUSE Tumbleweed:libruby2_7-2_7-2.7.4-1.1 openSUSE Tumbleweed:ruby2.7-2.7.4-1.1 openSUSE Tumbleweed:ruby2.7-devel-2.7.4-1.1 openSUSE Tumbleweed:ruby2.7-devel-extra-2.7.4-1.1 openSUSE Tumbleweed:ruby2.7-doc-2.7.4-1.1 openSUSE Tumbleweed:ruby2.7-doc-ri-2.7.4-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-31799.html CVE-2021-31799 https://bugzilla.suse.com/1190375 SUSE Bug 1190375 https://bugzilla.suse.com/1196771 SUSE Bug 1196771 An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions). CVE-2021-31810 openSUSE Tumbleweed:libruby2_7-2_7-2.7.4-1.1 openSUSE Tumbleweed:ruby2.7-2.7.4-1.1 openSUSE Tumbleweed:ruby2.7-devel-2.7.4-1.1 openSUSE Tumbleweed:ruby2.7-devel-extra-2.7.4-1.1 openSUSE Tumbleweed:ruby2.7-doc-2.7.4-1.1 openSUSE Tumbleweed:ruby2.7-doc-ri-2.7.4-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-31810.html CVE-2021-31810 https://bugzilla.suse.com/1188161 SUSE Bug 1188161 https://bugzilla.suse.com/1193383 SUSE Bug 1193383 https://bugzilla.suse.com/1205053 SUSE Bug 1205053 An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack." CVE-2021-32066 openSUSE Tumbleweed:libruby2_7-2_7-2.7.4-1.1 openSUSE Tumbleweed:ruby2.7-2.7.4-1.1 openSUSE Tumbleweed:ruby2.7-devel-2.7.4-1.1 openSUSE Tumbleweed:ruby2.7-devel-extra-2.7.4-1.1 openSUSE Tumbleweed:ruby2.7-doc-2.7.4-1.1 openSUSE Tumbleweed:ruby2.7-doc-ri-2.7.4-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-32066.html CVE-2021-32066 https://bugzilla.suse.com/1188160 SUSE Bug 1188160 https://bugzilla.suse.com/1196771 SUSE Bug 1196771 https://bugzilla.suse.com/1205053 SUSE Bug 1205053