[SECURITY] Fedora 38 Update: rubygem-yard-0.9.36-1.fc38

YARD is a documentation generation tool for the Ruby programming language. It enables the user to generate consistent, usable documentation that can be exported to a number of formats very easily, and also supports extending for custom Ruby constructs such as custom class level definitions...

RCE vulnerability with .rdoc_options in RDoc

An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdocoptions used for configuration in RDoc as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be...

AlmaLinux 8 : ruby:3.1 (ALSA-2024:1431)

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2024:1431 advisory. ruby/cgi-gem: HTTP response splitting in CGI CVE-2021-33621 ruby: ReDoS vulnerability in URI CVE-2023-28755 ruby: ReDoS vulnerability - upstream's...

StringIO 安全漏洞

StringIO is a Ruby input/output library open-sourced by The Ruby Programming Language. A security vulnerability exists in StringIO 3.0.2 and earlier versions, which stems from a buffer rewrite issue...

Buffer overread vulnerability in StringIO

An issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. This vulnerability is not affected...

Oracle Linux 8 : ruby:3.1 (ELSA-2024-1431)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-1431 advisory. ruby 3.1.4-142 - Upgrade to Ruby 3.1.4. Resolves: RHEL-28565 - Fix HTTP response splitting in CGI. Resolves: RHEL-28564 - Fix ReDos vulnerability in UR...

ruby:3.1 security, bug fix, and enhancement update

ruby 3.1.4-142 - Upgrade to Ruby 3.1.4. Resolves: RHEL-28565 - Fix HTTP response splitting in CGI. Resolves: RHEL-28564 - Fix ReDos vulnerability in URI. Resolves: RHEL-28567 Resolves: RHEL-28576 - Fix ReDos vulnerability in Time. Resolves: RHEL-28566 - Make RDoc soft dependency in IRB. Resolves:...

Fedora 38 : rubygem-yard (2024-3744975c4b)

The remote Fedora 38 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-3744975c4b advisory. A security flaw was found on rubygem-yard that documents generated by yard may be vulnerable to XSS attack. This issue is now assigned as CVE-2024-27285 . Th...

ruby: ReDoS vulnerability in Time

A flaw was found in the Time gem and Time library of Ruby. The Time parser mishandles invalid strings with specific characters and causes an increase in execution time for parsing strings to Time objects. This issue may result in a Regular expression denial of service ReDoS...

ruby: ReDoS vulnerability in URI

A flaw was found in the rubygem URI. The URI parser mishandles invalid URLs that have specific characters, which causes an increase in execution time parsing strings to URI objects. This may result in a regular expression denial of service ReDoS...

rubygem-uri: ReDoS vulnerability - upstream's incomplete fix for CVE-2023-28755

A flaw was found in the rubygem URI. The URI parser mishandles invalid URLs that have specific characters, which causes an increase in execution time parsing strings to URI objects. This issue may result in a regular expression denial of service ReDoS...

Moderate: Red Hat Security Advisory: ruby:3.1 security, bug fix, and enhancement update

An update for the ruby:3.1 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

ruby/cgi-gem: HTTP response splitting in CGI

A vulnerability was found in Ruby that allows HTTP header injection. A CGI application using the CGI library may insert untrusted input into the HTTP response header. This issue can allow an attacker to insert a newline character to split a header and inject malicious content to deceive clients...

Security Bulletin: A vulnerability in Ruby on Rails affects IBM License Metric Tool v9 (CVE-2024-26144).

Summary There is a vulnerability in the Ruby On Rails opens source component used by IBM License Metric Tool. The vulnerability could allow a remote attacker to obtain some sensitive information. Vulnerability Details CVEID:CVE-2024-26144 DESCRIPTION: Rails could allow a remote attacker to obtain...

Moderate: ruby:3.1 security, bug fix, and enhancement update

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. The following packages have been upgraded to a later upstream version: ruby 3.1. AlmaLinux-28565 Security Fixes: ruby/cgi-gem: HTTP response...

PT-2024-2479 · Ruby +7 · Rdoc +7

Name of the Vulnerable Software and Affected Versions: RDoc versions 6.3.3 through 6.6.2 Description: The issue is related to the restoration of untrusted data in memory by the RDoc documentation generator for the Ruby programming language. This can be exploited to execute arbitrary code using...

ALSA-2024:1431 Moderate: ruby:3.1 security, bug fix, and enhancement update

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. The following packages have been upgraded to a later upstream version: ruby 3.1. AlmaLinux-28565 Security Fixes: ruby/cgi-gem: HTTP response...

PT-2024-2478

Name of the Vulnerable Software and Affected Versions: Ruby StringIO versions 3.0.1 through 3.0.6 Ruby StringIO versions 3.1.x through 3.1.4 Description: A buffer-overread issue was discovered in StringIO, where the ungetbyte and ungetc methods can read past the end of a string, and a subsequent...

RHEL 8 : ruby:3.1 (RHSA-2024:1431)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1431 advisory. Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system...

ROTP 6.2.2 and 6.2.1 has 0666 permissions for the .rb files.

The Ruby One Time Password library ROTP is an open source library for generating and validating one time passwords. Affected versions had overly permissive default permissions. Users should patch to version 6.3.0. Users unable to patch may correct file permissions after installation...