Lucene search

Gentoo FoundationMGASA-2020-0285

HistoryJul 07, 2020 - 4:47 p.m.

Updated ruby packages fix security vulnerability

2020-07-0716:47:37

Gentoo Foundation

advisories.mageia.org

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.006 Low

EPSS

Percentile

79.2%

JSON

Updated ruby packages fix security vulnerability: An issue was discovered in Ruby through 2.5.7. If a victim calls BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffer to fit the requested size, but no data is copied. Thus, the buffer string provides the previous value of the heap. This may expose possibly sensitive data from the interpreter (CVE-2020-10933).

OSVersionArchitecturePackageVersionFilename
Mageia7noarchruby< 2.5.8-21ruby-2.5.8-21.mga7

OS	Version	Architecture	Package	Version	Filename
Mageia	7	noarch	ruby	< 2.5.8-21	ruby-2.5.8-21.mga7

References

bugs.mageia.org/show_bug.cgi?id=26409

www.ruby-lang.org/en/news/2020/03/31/heap-exposure-in-socket-cve-2020-10933/

www.ruby-lang.org/en/news/2020/03/31/ruby-2-5-8-released/

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.006 Low

EPSS

Percentile

79.2%

JSON

Related for MGASA-2020-0285