Photon OS 4.0: Ruby PHSA-2026-4.0-0976

An update of the ruby package has been released. %NASLMINLEVEL 80900 C Tenable, Inc. The descriptive text and package checks in this plugin were extracted from VMware Security Advisory PHSA-2026-4.0-0976. The text itself is copyright C VMware, Inc. include'compat.inc'; if description...

GHSA-MHG6-2Q2V-9H2C sigstore-ruby verifier returns success for DSSE bundles with mismatched in-toto subject digest

Summary Sigstore::Verifierverify does not propagate the VerificationFailure returned by verifyintoto when the artifact digest does not match the digest in the in-toto attestation subject. As a result, verification of DSSE bundles containing in-toto statements returns VerificationSuccess regardles...

EUVD-2026-10932

sigstore-ruby verifier returns success for DSSE bundles with mismatched in-toto subject digest...

EUVD-2026-10933

sigstore-ruby verifier returns success for DSSE bundles with mismatched in-toto subject digest...

sigstore-ruby verifier returns success for DSSE bundles with mismatched in-toto subject digest

Summary Sigstore::Verifierverify does not propagate the VerificationFailure returned by verifyintoto when the artifact digest does not match the digest in the in-toto attestation subject. As a result, verification of DSSE bundles containing in-toto statements returns VerificationSuccess regardles...

Critical Photon OS Security Update - PHSA-2026-4.0-0976

Updates of 'ImageMagick', 'ruby' packages of Photon OS have been released...

CVE-2026-31830

sigstore-ruby is a pure Ruby implementation of the sigstore verify command from the sigstore/cosign project. Prior to 0.2.3, Sigstore::Verifierverify does not propagate the VerificationFailure returned by verifyintoto when the artifact digest does not match the digest in the in-toto attestation...

CVE-2026-31830 sigstore-ruby verifier returns success for DSSE bundles with mismatched in-toto subject digest

sigstore-ruby is a pure Ruby implementation of the sigstore verify command from the sigstore/cosign project. Prior to 0.2.3, Sigstore::Verifierverify does not propagate the VerificationFailure returned by verifyintoto when the artifact digest does not match the digest in the in-toto attestation...

CVE-2026-31830 sigstore-ruby verifier returns success for DSSE bundles with mismatched in-toto subject digest

sigstore-ruby is a pure Ruby implementation of the sigstore verify command from the sigstore/cosign project. Prior to 0.2.3, Sigstore::Verifierverify does not propagate the VerificationFailure returned by verifyintoto when the artifact digest does not match the digest in the in-toto attestation...

CVE-2026-31830 sigstore-ruby verifier returns success for DSSE bundles with mismatched in-toto subject digest

sigstore-ruby is a pure Ruby implementation of the sigstore verify command from the sigstore/cosign project. Prior to 0.2.3, Sigstore::Verifierverify does not propagate the VerificationFailure returned by verifyintoto when the artifact digest does not match the digest in the in-toto attestation...

CVE-2026-31830

sigstore-ruby is a pure Ruby implementation of the sigstore verify command from the sigstore/cosign project. Prior to 0.2.3, Sigstore::Verifierverify does not propagate the VerificationFailure returned by verifyintoto when the artifact digest does not match the digest in the in-toto attestation...

PT-2026-24484

Name of the Vulnerable Software and Affected Versions sigstore-ruby versions prior to 0.2.3 Description The software does not correctly handle verification failures when the artifact digest does not match the digest in the in-toto attestation subject. Specifically, the Sigstore::Verifierverify...

Security Bulletin: Multiple vulnerabilities in IBM Aspera Faspex

Summary Multiple vulnerabilities were addressed in IBM Aspera Faspex version 5.0.15 Vulnerability Details CVEID:CVE-2026-22860 DESCRIPTION: Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, Rack::Directory’s path check used a string prefix match on the...

NewStart CGSL MAIN 6.06 (SP) : ruby Multiple Vulnerabilities (NS-SA-2026-0023)

The remote NewStart CGSL host, running version MAIN 6.06 SP, has ruby packages installed that are affected by multiple vulnerabilities: - CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks...

MarkUs 安全漏洞

MarkUs is an open-source Ruby on Rails and React web application used for submitting and grading student assignments. Versions of MarkUs prior to 2.9.4 contained a security vulnerability due to the lack of size or item quantity limits when extracting zip files...

CVE-2026-22479

Missing Authorization vulnerability in ThemeRuby Easy Post Submission easy-post-submission allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Post Submission: from n/a through = 2.4.0...

PT-2026-23211

Name of the Vulnerable Software and Affected Versions ThemeRuby Easy Post Submission versions through 2.2.0 Description The software contains a missing authorization flaw, allowing exploitation of incorrectly configured access control security levels. The issue allows unauthorized access...

Buffer overflow vulnerability in Zlib::GzipReader

A buffer overflow vulnerability exists in Zlib::GzipReader. This vulnerability has been assigned the CVE identifier CVE-2026-27820. We recommend upgrading the zlib gem. Details The zstreambufferungets function prepends caller-provided bytes ahead of previously produced output but fails to guarant...

CLEANSTART-2026-XJ84245 Rack is a modular Ruby web server interface

Multiple security vulnerabilities affect the logstash-fips package. Rack is a modular Ruby web server interface. See references for individual vulnerability details...

Security Bulletin: Multiple Vulnerabilities in IBM API Connect

Summary Multiple vulnerabilities were addressed in IBM API Connect version 10.0.8.7 Vulnerability Details CVEID:CVE-2025-12818 DESCRIPTION: Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an...