libruby3_2-3_2-3.2.1-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:12712 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libruby3_2-3_2-3.2.1-1.1 on GA media These are all security issues fixed in the libruby3_2-3_2-3.2.1-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-12712 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:12712 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2020-10663/ SUSE CVE CVE-2020-10663 page https://www.suse.com/security/cve/CVE-2020-10933/ SUSE CVE CVE-2020-10933 page https://www.suse.com/security/cve/CVE-2021-28965/ SUSE CVE CVE-2021-28965 page https://www.suse.com/security/cve/CVE-2021-31799/ SUSE CVE CVE-2021-31799 page https://www.suse.com/security/cve/CVE-2021-31810/ SUSE CVE CVE-2021-31810 page https://www.suse.com/security/cve/CVE-2021-32066/ SUSE CVE CVE-2021-32066 page https://www.suse.com/security/cve/CVE-2021-41816/ SUSE CVE CVE-2021-41816 page https://www.suse.com/security/cve/CVE-2021-41817/ SUSE CVE CVE-2021-41817 page https://www.suse.com/security/cve/CVE-2021-41819/ SUSE CVE CVE-2021-41819 page https://www.suse.com/security/cve/CVE-2022-28738/ SUSE CVE CVE-2022-28738 page https://www.suse.com/security/cve/CVE-2022-28739/ SUSE CVE CVE-2022-28739 page openSUSE Tumbleweed libruby3_2-3_2-3.2.1-1.1 ruby3.2-3.2.1-1.1 ruby3.2-devel-3.2.1-1.1 ruby3.2-devel-extra-3.2.1-1.1 ruby3.2-doc-3.2.1-1.1 ruby3.2-doc-ri-3.2.1-1.1 libruby3_2-3_2-3.2.1-1.1 as a component of openSUSE Tumbleweed ruby3.2-3.2.1-1.1 as a component of openSUSE Tumbleweed ruby3.2-devel-3.2.1-1.1 as a component of openSUSE Tumbleweed ruby3.2-devel-extra-3.2.1-1.1 as a component of openSUSE Tumbleweed ruby3.2-doc-3.2.1-1.1 as a component of openSUSE Tumbleweed ruby3.2-doc-ri-3.2.1-1.1 as a component of openSUSE Tumbleweed The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent. CVE-2020-10663 openSUSE Tumbleweed:libruby3_2-3_2-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-devel-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-devel-extra-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-doc-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-doc-ri-3.2.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-10663.html CVE-2020-10663 https://bugzilla.suse.com/1167244 SUSE Bug 1167244 https://bugzilla.suse.com/1171517 SUSE Bug 1171517 An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. If a victim calls BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffer to fit the requested size, but no data is copied. Thus, the buffer string provides the previous value of the heap. This may expose possibly sensitive data from the interpreter. CVE-2020-10933 openSUSE Tumbleweed:libruby3_2-3_2-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-devel-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-devel-extra-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-doc-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-doc-ri-3.2.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-10933.html CVE-2020-10933 https://bugzilla.suse.com/1168938 SUSE Bug 1168938 The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing. CVE-2021-28965 openSUSE Tumbleweed:libruby3_2-3_2-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-devel-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-devel-extra-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-doc-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-doc-ri-3.2.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-28965.html CVE-2021-28965 https://bugzilla.suse.com/1184644 SUSE Bug 1184644 In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename. CVE-2021-31799 openSUSE Tumbleweed:libruby3_2-3_2-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-devel-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-devel-extra-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-doc-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-doc-ri-3.2.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-31799.html CVE-2021-31799 https://bugzilla.suse.com/1190375 SUSE Bug 1190375 https://bugzilla.suse.com/1196771 SUSE Bug 1196771 An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions). CVE-2021-31810 openSUSE Tumbleweed:libruby3_2-3_2-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-devel-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-devel-extra-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-doc-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-doc-ri-3.2.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-31810.html CVE-2021-31810 https://bugzilla.suse.com/1188161 SUSE Bug 1188161 https://bugzilla.suse.com/1193383 SUSE Bug 1193383 https://bugzilla.suse.com/1205053 SUSE Bug 1205053 An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack." CVE-2021-32066 openSUSE Tumbleweed:libruby3_2-3_2-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-devel-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-devel-extra-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-doc-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-doc-ri-3.2.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-32066.html CVE-2021-32066 https://bugzilla.suse.com/1188160 SUSE Bug 1188160 https://bugzilla.suse.com/1196771 SUSE Bug 1196771 https://bugzilla.suse.com/1205053 SUSE Bug 1205053 CGI.escape_html in Ruby before 2.7.5 and 3.x before 3.0.3 has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. This also affects the CGI gem before 0.3.1 for Ruby. CVE-2021-41816 openSUSE Tumbleweed:libruby3_2-3_2-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-devel-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-devel-extra-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-doc-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-doc-ri-3.2.1-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-41816.html CVE-2021-41816 https://bugzilla.suse.com/1193080 SUSE Bug 1193080 Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1. CVE-2021-41817 openSUSE Tumbleweed:libruby3_2-3_2-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-devel-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-devel-extra-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-doc-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-doc-ri-3.2.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-41817.html CVE-2021-41817 https://bugzilla.suse.com/1193035 SUSE Bug 1193035 CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby. CVE-2021-41819 openSUSE Tumbleweed:libruby3_2-3_2-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-devel-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-devel-extra-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-doc-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-doc-ri-3.2.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-41819.html CVE-2021-41819 https://bugzilla.suse.com/1193081 SUSE Bug 1193081 A double free was found in the Regexp compiler in Ruby 3.x before 3.0.4 and 3.1.x before 3.1.2. If a victim attempts to create a Regexp from untrusted user input, an attacker may be able to write to unexpected memory locations. CVE-2022-28738 openSUSE Tumbleweed:libruby3_2-3_2-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-devel-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-devel-extra-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-doc-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-doc-ri-3.2.1-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-28738.html CVE-2022-28738 https://bugzilla.suse.com/1198440 SUSE Bug 1198440 There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including Kernel#Float and String#to_f. CVE-2022-28739 openSUSE Tumbleweed:libruby3_2-3_2-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-devel-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-devel-extra-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-doc-3.2.1-1.1 openSUSE Tumbleweed:ruby3.2-doc-ri-3.2.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-28739.html CVE-2022-28739 https://bugzilla.suse.com/1198441 SUSE Bug 1198441