Lucene search

AmazonALAS2-2019-1143

HistoryJan 07, 2019 - 10:05 p.m.

Important: ruby

2019-01-0722:05:00

alas.aws.amazon.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.007 Low

EPSS

Percentile

80.8%

JSON

Issue Overview:

An issue was discovered in the OpenSSL library in Ruby. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations.(CVE-2018-16395)

Affected Packages:

ruby

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update ruby to update your system.

New Packages:

aarch64:  
    ruby-2.0.0.648-34.amzn2.0.1.aarch64  
    ruby-devel-2.0.0.648-34.amzn2.0.1.aarch64  
    ruby-libs-2.0.0.648-34.amzn2.0.1.aarch64  
    rubygem-bigdecimal-1.2.0-34.amzn2.0.1.aarch64  
    rubygem-io-console-0.4.2-34.amzn2.0.1.aarch64  
    rubygem-json-1.7.7-34.amzn2.0.1.aarch64  
    rubygem-psych-2.0.0-34.amzn2.0.1.aarch64  
    ruby-tcltk-2.0.0.648-34.amzn2.0.1.aarch64  
    ruby-debuginfo-2.0.0.648-34.amzn2.0.1.aarch64  
  
i686:  
    ruby-2.0.0.648-34.amzn2.0.1.i686  
    ruby-devel-2.0.0.648-34.amzn2.0.1.i686  
    ruby-libs-2.0.0.648-34.amzn2.0.1.i686  
    rubygem-bigdecimal-1.2.0-34.amzn2.0.1.i686  
    rubygem-io-console-0.4.2-34.amzn2.0.1.i686  
    rubygem-json-1.7.7-34.amzn2.0.1.i686  
    rubygem-psych-2.0.0-34.amzn2.0.1.i686  
    ruby-tcltk-2.0.0.648-34.amzn2.0.1.i686  
    ruby-debuginfo-2.0.0.648-34.amzn2.0.1.i686  
  
noarch:  
    rubygems-2.0.14.1-34.amzn2.0.1.noarch  
    rubygems-devel-2.0.14.1-34.amzn2.0.1.noarch  
    rubygem-rake-0.9.6-34.amzn2.0.1.noarch  
    ruby-irb-2.0.0.648-34.amzn2.0.1.noarch  
    rubygem-rdoc-4.0.0-34.amzn2.0.1.noarch  
    ruby-doc-2.0.0.648-34.amzn2.0.1.noarch  
    rubygem-minitest-4.3.2-34.amzn2.0.1.noarch  
  
src:  
    ruby-2.0.0.648-34.amzn2.0.1.src  
  
x86_64:  
    ruby-2.0.0.648-34.amzn2.0.1.x86_64  
    ruby-devel-2.0.0.648-34.amzn2.0.1.x86_64  
    ruby-libs-2.0.0.648-34.amzn2.0.1.x86_64  
    rubygem-bigdecimal-1.2.0-34.amzn2.0.1.x86_64  
    rubygem-io-console-0.4.2-34.amzn2.0.1.x86_64  
    rubygem-json-1.7.7-34.amzn2.0.1.x86_64  
    rubygem-psych-2.0.0-34.amzn2.0.1.x86_64  
    ruby-tcltk-2.0.0.648-34.amzn2.0.1.x86_64  
    ruby-debuginfo-2.0.0.648-34.amzn2.0.1.x86_64

Additional References

Red Hat: CVE-2018-16395

Mitre: CVE-2018-16395

OSVersionArchitecturePackageVersionFilename
Amazon Linux2aarch64ruby< 2.0.0.648-34.amzn2.0.1ruby-2.0.0.648-34.amzn2.0.1.aarch64.rpm
Amazon Linux2aarch64ruby-devel< 2.0.0.648-34.amzn2.0.1ruby-devel-2.0.0.648-34.amzn2.0.1.aarch64.rpm
Amazon Linux2aarch64ruby-libs< 2.0.0.648-34.amzn2.0.1ruby-libs-2.0.0.648-34.amzn2.0.1.aarch64.rpm
Amazon Linux2aarch64rubygem-bigdecimal< 1.2.0-34.amzn2.0.1rubygem-bigdecimal-1.2.0-34.amzn2.0.1.aarch64.rpm
Amazon Linux2aarch64rubygem-io-console< 0.4.2-34.amzn2.0.1rubygem-io-console-0.4.2-34.amzn2.0.1.aarch64.rpm
Amazon Linux2aarch64rubygem-json< 1.7.7-34.amzn2.0.1rubygem-json-1.7.7-34.amzn2.0.1.aarch64.rpm
Amazon Linux2aarch64rubygem-psych< 2.0.0-34.amzn2.0.1rubygem-psych-2.0.0-34.amzn2.0.1.aarch64.rpm
Amazon Linux2aarch64ruby-tcltk< 2.0.0.648-34.amzn2.0.1ruby-tcltk-2.0.0.648-34.amzn2.0.1.aarch64.rpm
Amazon Linux2aarch64ruby-debuginfo< 2.0.0.648-34.amzn2.0.1ruby-debuginfo-2.0.0.648-34.amzn2.0.1.aarch64.rpm
Amazon Linux2i686ruby< 2.0.0.648-34.amzn2.0.1ruby-2.0.0.648-34.amzn2.0.1.i686.rpm

OS	Version	Architecture	Package	Version	Filename
Amazon Linux	2	aarch64	ruby	< 2.0.0.648-34.amzn2.0.1	ruby-2.0.0.648-34.amzn2.0.1.aarch64.rpm
Amazon Linux	2	aarch64	ruby-devel	< 2.0.0.648-34.amzn2.0.1	ruby-devel-2.0.0.648-34.amzn2.0.1.aarch64.rpm
Amazon Linux	2	aarch64	ruby-libs	< 2.0.0.648-34.amzn2.0.1	ruby-libs-2.0.0.648-34.amzn2.0.1.aarch64.rpm
Amazon Linux	2	aarch64	rubygem-bigdecimal	< 1.2.0-34.amzn2.0.1	rubygem-bigdecimal-1.2.0-34.amzn2.0.1.aarch64.rpm
Amazon Linux	2	aarch64	rubygem-io-console	< 0.4.2-34.amzn2.0.1	rubygem-io-console-0.4.2-34.amzn2.0.1.aarch64.rpm
Amazon Linux	2	aarch64	rubygem-json	< 1.7.7-34.amzn2.0.1	rubygem-json-1.7.7-34.amzn2.0.1.aarch64.rpm
Amazon Linux	2	aarch64	rubygem-psych	< 2.0.0-34.amzn2.0.1	rubygem-psych-2.0.0-34.amzn2.0.1.aarch64.rpm
Amazon Linux	2	aarch64	ruby-tcltk	< 2.0.0.648-34.amzn2.0.1	ruby-tcltk-2.0.0.648-34.amzn2.0.1.aarch64.rpm
Amazon Linux	2	aarch64	ruby-debuginfo	< 2.0.0.648-34.amzn2.0.1	ruby-debuginfo-2.0.0.648-34.amzn2.0.1.aarch64.rpm
Amazon Linux	2	i686	ruby	< 2.0.0.648-34.amzn2.0.1	ruby-2.0.0.648-34.amzn2.0.1.i686.rpm