Low: ruby20

2021-05-20T21:12:00
ID ALAS-2021-1505
Type amazon
Reporter Amazon
Modified 2021-05-20T21:12:00

Description

Issue Overview:

RDoc before version 6.3.1 used to call Kernel#open to open a local file. If a Ruby project has a file whose name starts with "|" and ends with "tags", the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user who attempts to run the rdoc command. (CVE-2021-31799 __)

Affected Packages:

ruby20

Issue Correction:
Run yum update ruby20 to update your system.

New Packages:

i686:  
    rubygem20-io-console-0.4.2-2.40.amzn1.i686  
    rubygem20-bigdecimal-1.2.0-2.40.amzn1.i686  
    ruby20-2.0.0.648-2.40.amzn1.i686  
    rubygem20-psych-2.0.0-2.40.amzn1.i686  
    ruby20-debuginfo-2.0.0.648-2.40.amzn1.i686  
    ruby20-libs-2.0.0.648-2.40.amzn1.i686  
    ruby20-devel-2.0.0.648-2.40.amzn1.i686

noarch:  
    rubygems20-devel-2.0.14.1-2.40.amzn1.noarch  
    rubygems20-2.0.14.1-2.40.amzn1.noarch  
    ruby20-irb-2.0.0.648-2.40.amzn1.noarch  
    ruby20-doc-2.0.0.648-2.40.amzn1.noarch

src:  
    ruby20-2.0.0.648-2.40.amzn1.src

x86_64:  
    ruby20-libs-2.0.0.648-2.40.amzn1.x86_64  
    rubygem20-psych-2.0.0-2.40.amzn1.x86_64  
    ruby20-2.0.0.648-2.40.amzn1.x86_64  
    ruby20-debuginfo-2.0.0.648-2.40.amzn1.x86_64  
    rubygem20-io-console-0.4.2-2.40.amzn1.x86_64  
    ruby20-devel-2.0.0.648-2.40.amzn1.x86_64  
    rubygem20-bigdecimal-1.2.0-2.40.amzn1.x86_64