DebianDEBIAN:DLA-2780-1:A0FD9[SECURITY] [DLA 2780-1] ruby2.3 security update
7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
63.9%
Debian LTS Advisory DLA-2780-1 [email protected]
https://www.debian.org/lts/security/ Utkarsh Gupta
October 11, 2021 https://wiki.debian.org/LTS
Package : ruby2.3
Version : 2.3.3-1+deb9u10
CVE ID : CVE-2021-31799 CVE-2021-31810 CVE-2021-32066
Debian Bug : 990815
Multiple vulnerabilites in ruby2.3, interpreter of object-oriented
scripting language Ruby, were discovered.
CVE-2021-31799
In RDoc 3.11 through 6.x before 6.3.1, as distributed with
Ruby through 2.3.3, it is possible to execute arbitrary
code via | and tags in a filename.
CVE-2021-31810
An issue was discovered in Ruby through 2.3.3. A malicious
FTP server can use the PASV response to trick Net::FTP into
connecting back to a given IP address and port. This
potentially makes curl extract information about services
that are otherwise private and not disclosed (e.g., the
attacker can conduct port scans and service banner extractions).
CVE-2021-32066
An issue was discovered in Ruby through 2.3.3. Net::IMAP does
not raise an exception when StartTLS fails with an an unknown
response, which might allow man-in-the-middle attackers to
bypass the TLS protections by leveraging a network position
between the client and the registry to block the StartTLS
command, aka a "StartTLS stripping attack."
For Debian 9 stretch, these problems have been fixed in version
2.3.3-1+deb9u10.
We recommend that you upgrade your ruby2.3 packages.
For the detailed security status of ruby2.3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby2.3
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Debian | 9 | arm64 | libruby2.3 | < 2.3.3-1+deb9u10 | libruby2.3_2.3.3-1+deb9u10_arm64.deb |
| Debian | 10 | arm64 | libruby2.5 | < 2.5.5-3+deb10u4 | libruby2.5_2.5.5-3+deb10u4_arm64.deb |
| Debian | 10 | mipsel | libruby2.5 | < 2.5.5-3+deb10u4 | libruby2.5_2.5.5-3+deb10u4_mipsel.deb |
| Debian | 10 | mips | ruby2.5-dbgsym | < 2.5.5-3+deb10u4 | ruby2.5-dbgsym_2.5.5-3+deb10u4_mips.deb |
| Debian | 10 | mips64el | ruby2.5 | < 2.5.5-3+deb10u4 | ruby2.5_2.5.5-3+deb10u4_mips64el.deb |
| Debian | 10 | ppc64el | ruby2.5-dbgsym | < 2.5.5-3+deb10u4 | ruby2.5-dbgsym_2.5.5-3+deb10u4_ppc64el.deb |
| Debian | 10 | s390x | ruby2.5-dev | < 2.5.5-3+deb10u4 | ruby2.5-dev_2.5.5-3+deb10u4_s390x.deb |
| Debian | 10 | armhf | ruby2.5-dev | < 2.5.5-3+deb10u4 | ruby2.5-dev_2.5.5-3+deb10u4_armhf.deb |
| Debian | 10 | mips | ruby2.5 | < 2.5.5-3+deb10u4 | ruby2.5_2.5.5-3+deb10u4_mips.deb |
| Debian | 10 | mips | ruby2.5-dev | < 2.5.5-3+deb10u4 | ruby2.5-dev_2.5.5-3+deb10u4_mips.deb |
Related
7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
63.9%