[SECURITY] [DLA 2192-1] ruby2.1 security update

2020-04-3022:01:47

lists.debian.org

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.006 Low

EPSS

Percentile

78.9%

JSON

Package : ruby2.1
Version : 2.1.5-2+deb8u10
CVE ID : CVE-2020-10663

The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.1 has an
unsafe object creation vulnerability.
This is quite similar to CVE-2013-0269, but does not rely on poor
garbage-collection behavior within Ruby. Specifically, use of JSON
parsing methods can lead to creation of a malicious object within
the interpreter, with adverse effects that are application-dependent.

For Debian 8 "Jessie", this problem has been fixed in version
2.1.5-2+deb8u10.

We recommend that you upgrade your ruby2.1 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Best,
Utkarsh

OSVersionArchitecturePackageVersionFilename
Debian10s390xlibruby2.5-dbgsym< 2.5.5-3+deb10u2libruby2.5-dbgsym_2.5.5-3+deb10u2_s390x.deb
Debian9i386ruby-json< 2.0.1+dfsg-3+deb9u1ruby-json_2.0.1+dfsg-3+deb9u1_i386.deb
Debian9mips64elruby2.3-tcltk-dbgsym< 2.3.3-1+deb9u8ruby2.3-tcltk-dbgsym_2.3.3-1+deb9u8_mips64el.deb
Debian10mipsruby2.5-dev< 2.5.5-3+deb10u2ruby2.5-dev_2.5.5-3+deb10u2_mips.deb
Debian9amd64ruby2.3-tcltk-dbgsym< 2.3.3-1+deb9u8ruby2.3-tcltk-dbgsym_2.3.3-1+deb9u8_amd64.deb
Debian10mipsruby2.5< 2.5.5-3+deb10u2ruby2.5_2.5.5-3+deb10u2_mips.deb
Debian10s390xruby-json-dbgsym< 2.1.0+dfsg-2+deb10u1ruby-json-dbgsym_2.1.0+dfsg-2+deb10u1_s390x.deb
Debian9amd64ruby2.3< 2.3.3-1+deb9u8ruby2.3_2.3.3-1+deb9u8_amd64.deb
Debian10ppc64ellibruby2.5-dbgsym< 2.5.5-3+deb10u2libruby2.5-dbgsym_2.5.5-3+deb10u2_ppc64el.deb
Debian10s390xruby2.5< 2.5.5-3+deb10u2ruby2.5_2.5.5-3+deb10u2_s390x.deb

OS	Version	Architecture	Package	Version	Filename
Debian	10	s390x	libruby2.5-dbgsym	< 2.5.5-3+deb10u2	libruby2.5-dbgsym_2.5.5-3+deb10u2_s390x.deb
Debian	9	i386	ruby-json	< 2.0.1+dfsg-3+deb9u1	ruby-json_2.0.1+dfsg-3+deb9u1_i386.deb
Debian	9	mips64el	ruby2.3-tcltk-dbgsym	< 2.3.3-1+deb9u8	ruby2.3-tcltk-dbgsym_2.3.3-1+deb9u8_mips64el.deb
Debian	10	mips	ruby2.5-dev	< 2.5.5-3+deb10u2	ruby2.5-dev_2.5.5-3+deb10u2_mips.deb
Debian	9	amd64	ruby2.3-tcltk-dbgsym	< 2.3.3-1+deb9u8	ruby2.3-tcltk-dbgsym_2.3.3-1+deb9u8_amd64.deb
Debian	10	mips	ruby2.5	< 2.5.5-3+deb10u2	ruby2.5_2.5.5-3+deb10u2_mips.deb
Debian	10	s390x	ruby-json-dbgsym	< 2.1.0+dfsg-2+deb10u1	ruby-json-dbgsym_2.1.0+dfsg-2+deb10u1_s390x.deb
Debian	9	amd64	ruby2.3	< 2.3.3-1+deb9u8	ruby2.3_2.3.3-1+deb9u8_amd64.deb
Debian	10	ppc64el	libruby2.5-dbgsym	< 2.5.5-3+deb10u2	libruby2.5-dbgsym_2.5.5-3+deb10u2_ppc64el.deb
Debian	10	s390x	ruby2.5	< 2.5.5-3+deb10u2	ruby2.5_2.5.5-3+deb10u2_s390x.deb