Lucene search

DebianDEBIAN:DLA-3858-1:E2379

HistorySep 02, 2024 - 12:46 p.m.

[SECURITY] [DLA 3858-1] ruby2.7 security update

2024-09-0212:46:22

lists.debian.org

ruby language interpreter

denial-of-service

information leak

remote code execution

cve-2021-33621

cve-2022-28739

cve-2023-28755

cve-2023-28756

cve-2023-36617

cve-2024-27280

cve-2024-27281

cve-2024-27282

debian 11 bullseye

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.4

Confidence

Low

EPSS

0.005

Percentile

77.9%

JSON

Debian LTS Advisory DLA-3858-1 [email protected]
https://www.debian.org/lts/security/ Sylvain Beucler
September 02, 2024 https://wiki.debian.org/LTS

Package : ruby2.7
Version : 2.7.4-1+deb11u2
CVE ID : CVE-2021-33621 CVE-2022-28739 CVE-2023-28755 CVE-2023-28756
CVE-2023-36617 CVE-2024-27280 CVE-2024-27281 CVE-2024-27282
Debian Bug : 1009957 1024799 1038408 1067802 1069966 1069968

Several vulnerabilities have been discovered in the interpreter for
the Ruby language, which may result in denial-of-service (DoS),
information leak, and remote code execution.

CVE-2021-33621

The cgi gem allows HTTP response splitting. This is relevant to
applications that use untrusted user input either to generate an
HTTP response or to create a CGI::Cookie object.

CVE-2022-28739

Buffer over-read occurs in String-to-Float conversion, including
Kernel#Float and String#to_f.

CVE-2023-28755

A ReDoS issue was discovered in the URI component. The URI parser
mishandles invalid URLs that have specific characters. It causes
an increase in execution time for parsing strings to URI objects.

CVE-2023-28756

A ReDoS issue was discovered in the Time component. The Time
parser mishandles invalid URLs that have specific characters. It
causes an increase in execution time for parsing strings to Time
objects.

CVE-2023-36617

Follow-up fix for CVE-2023-28755.

CVE-2024-27280

A buffer-overread issue was discovered in StringIO. The ungetbyte
and ungetc methods on a StringIO can read past the end of a
string, and a subsequent call to StringIO.gets may return the
memory value.

CVE-2024-27281

When parsing .rdoc_options (used for configuration in RDoc) as a
YAML file, object injection and resultant remote code execution
are possible because there are no restrictions on the classes that
can be restored. (When loading the documentation cache, object
injection and resultant remote code execution are also possible if
there were a crafted cache.)

CVE-2024-27282

If attacker-supplied data is provided to the Ruby regex compiler,
it is possible to extract arbitrary heap data relative to the
start of the text, including pointers and sensitive strings.

For Debian 11 bullseye, these problems have been fixed in version
2.7.4-1+deb11u2.

We recommend that you upgrade your ruby2.7 packages.

For the detailed security status of ruby2.7 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby2.7

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian12mipsellibruby3.1-dbgsym< 3.1.2-7+deb12u1libruby3.1-dbgsym_3.1.2-7+deb12u1_mipsel.deb
Debian12i386ruby3.1-dev< 3.1.2-7+deb12u1ruby3.1-dev_3.1.2-7+deb12u1_i386.deb
Debian12armhflibruby3.1< 3.1.2-7+deb12u1libruby3.1_3.1.2-7+deb12u1_armhf.deb
Debian12armelruby3.1-dev< 3.1.2-7+deb12u1ruby3.1-dev_3.1.2-7+deb12u1_armel.deb
Debian12amd64ruby3.1< 3.1.2-7+deb12u1ruby3.1_3.1.2-7+deb12u1_amd64.deb
Debian10i386ruby2.5< 2.5.5-3+deb10u6ruby2.5_2.5.5-3+deb10u6_i386.deb
Debian11i386libruby2.7< 2.7.4-1+deb11u2libruby2.7_2.7.4-1+deb11u2_i386.deb
Debian11amd64ruby2.7-dbgsym< 2.7.4-1+deb11u2ruby2.7-dbgsym_2.7.4-1+deb11u2_amd64.deb
Debian10allruby2.5-doc< 2.5.5-3+deb10u5ruby2.5-doc_2.5.5-3+deb10u5_all.deb
Debian12amd64libruby3.1< 3.1.2-7+deb12u1libruby3.1_3.1.2-7+deb12u1_amd64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	mipsel	libruby3.1-dbgsym	< 3.1.2-7+deb12u1	libruby3.1-dbgsym_3.1.2-7+deb12u1_mipsel.deb
Debian	12	i386	ruby3.1-dev	< 3.1.2-7+deb12u1	ruby3.1-dev_3.1.2-7+deb12u1_i386.deb
Debian	12	armhf	libruby3.1	< 3.1.2-7+deb12u1	libruby3.1_3.1.2-7+deb12u1_armhf.deb
Debian	12	armel	ruby3.1-dev	< 3.1.2-7+deb12u1	ruby3.1-dev_3.1.2-7+deb12u1_armel.deb
Debian	12	amd64	ruby3.1	< 3.1.2-7+deb12u1	ruby3.1_3.1.2-7+deb12u1_amd64.deb
Debian	10	i386	ruby2.5	< 2.5.5-3+deb10u6	ruby2.5_2.5.5-3+deb10u6_i386.deb
Debian	11	i386	libruby2.7	< 2.7.4-1+deb11u2	libruby2.7_2.7.4-1+deb11u2_i386.deb
Debian	11	amd64	ruby2.7-dbgsym	< 2.7.4-1+deb11u2	ruby2.7-dbgsym_2.7.4-1+deb11u2_amd64.deb
Debian	10	all	ruby2.5-doc	< 2.5.5-3+deb10u5	ruby2.5-doc_2.5.5-3+deb10u5_all.deb
Debian	12	amd64	libruby3.1	< 3.1.2-7+deb12u1	libruby3.1_3.1.2-7+deb12u1_amd64.deb