RHSA-2021:3020

Description

Red Hat Security Advisory: ruby:2.7 security update

CVSS Metrics

• v3.1•HIGH•Score: 8.8CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Systems

• redhat•ruby

  < 0:2.7.4-137.module+el8.4.0+12025+f744ca41

• redhat•ruby-debuginfo

  < 0:2.7.4-137.module+el8.4.0+12025+f744ca41

• redhat•ruby-debugsource

  < 0:2.7.4-137.module+el8.4.0+12025+f744ca41

• redhat•ruby-default-gems

  < 0:2.7.4-137.module+el8.4.0+12025+f744ca41

• redhat•ruby-devel

  < 0:2.7.4-137.module+el8.4.0+12025+f744ca41

• redhat•ruby-doc

  < 0:2.7.4-137.module+el8.4.0+12025+f744ca41

• redhat•ruby-libs

  < 0:2.7.4-137.module+el8.4.0+12025+f744ca41

• redhat•ruby-libs-debuginfo

  < 0:2.7.4-137.module+el8.4.0+12025+f744ca41

• redhat•rubygem-abrt

  < 0:0.4.0-1.module+el8.3.0+7192+4e3a532a

• redhat•rubygem-abrt-doc

  < 0:0.4.0-1.module+el8.3.0+7192+4e3a532a

• redhat•rubygem-bigdecimal

  < 0:2.0.0-137.module+el8.4.0+12025+f744ca41

• redhat•rubygem-bigdecimal-debuginfo

  < 0:2.0.0-137.module+el8.4.0+12025+f744ca41

• redhat•rubygem-bson

  < 0:4.8.1-1.module+el8.3.0+7192+4e3a532a

• redhat•rubygem-bson-debuginfo

  < 0:4.8.1-1.module+el8.3.0+7192+4e3a532a

• redhat•rubygem-bson-debugsource

  < 0:4.8.1-1.module+el8.3.0+7192+4e3a532a

• redhat•rubygem-bson-doc

  < 0:4.8.1-1.module+el8.3.0+7192+4e3a532a

• redhat•rubygem-bundler

  < 0:2.2.24-137.module+el8.4.0+12025+f744ca41

• redhat•rubygem-io-console

  < 0:0.5.6-137.module+el8.4.0+12025+f744ca41

• redhat•rubygem-io-console-debuginfo

  < 0:0.5.6-137.module+el8.4.0+12025+f744ca41

• redhat•rubygem-irb

  < 0:1.2.6-137.module+el8.4.0+12025+f744ca41

• redhat•rubygem-json

  < 0:2.3.0-137.module+el8.4.0+12025+f744ca41

• redhat•rubygem-json-debuginfo

  < 0:2.3.0-137.module+el8.4.0+12025+f744ca41

• redhat•rubygem-minitest

  < 0:5.13.0-137.module+el8.4.0+12025+f744ca41

• redhat•rubygem-mongo

  < 0:2.11.3-1.module+el8.3.0+7192+4e3a532a

• redhat•rubygem-mongo-doc

  < 0:2.11.3-1.module+el8.3.0+7192+4e3a532a

• redhat•rubygem-mysql2

  < 0:0.5.3-1.module+el8.3.0+7192+4e3a532a

• redhat•rubygem-mysql2-debuginfo

  < 0:0.5.3-1.module+el8.3.0+7192+4e3a532a

• redhat•rubygem-mysql2-debugsource

  < 0:0.5.3-1.module+el8.3.0+7192+4e3a532a

• redhat•rubygem-mysql2-doc

  < 0:0.5.3-1.module+el8.3.0+7192+4e3a532a

• redhat•rubygem-net-telnet

  < 0:0.2.0-137.module+el8.4.0+12025+f744ca41

• redhat•rubygem-openssl

  < 0:2.1.2-137.module+el8.4.0+12025+f744ca41

• redhat•rubygem-openssl-debuginfo

  < 0:2.1.2-137.module+el8.4.0+12025+f744ca41

• redhat•rubygem-pg

  < 0:1.2.3-1.module+el8.3.0+7192+4e3a532a

• redhat•rubygem-pg-debuginfo

  < 0:1.2.3-1.module+el8.3.0+7192+4e3a532a

• redhat•rubygem-pg-debugsource

  < 0:1.2.3-1.module+el8.3.0+7192+4e3a532a

• redhat•rubygem-pg-doc

  < 0:1.2.3-1.module+el8.3.0+7192+4e3a532a

• redhat•rubygem-power_assert

  < 0:1.1.7-137.module+el8.4.0+12025+f744ca41

• redhat•rubygem-psych

  < 0:3.1.0-137.module+el8.4.0+12025+f744ca41

• redhat•rubygem-psych-debuginfo

  < 0:3.1.0-137.module+el8.4.0+12025+f744ca41

• redhat•rubygem-rake

  < 0:13.0.1-137.module+el8.4.0+12025+f744ca41

• redhat•rubygem-rdoc

  < 0:6.2.1.1-137.module+el8.4.0+12025+f744ca41

• redhat•rubygem-test-unit

  < 0:3.3.4-137.module+el8.4.0+12025+f744ca41

• redhat•rubygem-xmlrpc

  < 0:0.3.0-137.module+el8.4.0+12025+f744ca41

• redhat•rubygems

  < 0:3.1.6-137.module+el8.4.0+12025+f744ca41

• redhat•rubygems-devel

  < 0:3.1.6-137.module+el8.4.0+12025+f744ca41

References (24)

• https://access.redhat.com/errata/RHSA-2021:3020
• https://access.redhat.com/security/updates/classification/#important
• https://bugzilla.redhat.com/show_bug.cgi?id=1958999
• https://bugzilla.redhat.com/show_bug.cgi?id=1980126
• https://bugzilla.redhat.com/show_bug.cgi?id=1980128
• https://bugzilla.redhat.com/show_bug.cgi?id=1980132
• https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_3020.json
• https://access.redhat.com/security/cve/CVE-2020-36327
• https://www.cve.org/CVERecord?id=CVE-2020-36327
• https://nvd.nist.gov/vuln/detail/CVE-2020-36327
• https://access.redhat.com/articles/6206172
• https://www.zofrex.com/blog/2021/04/29/bundler-still-vulnerable-dependency-confusion-cve-2020-36327/
• https://access.redhat.com/security/cve/CVE-2021-31799
• https://www.cve.org/CVERecord?id=CVE-2021-31799
• https://nvd.nist.gov/vuln/detail/CVE-2021-31799
• https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/
• https://access.redhat.com/security/cve/CVE-2021-31810
• https://www.cve.org/CVERecord?id=CVE-2021-31810
• https://nvd.nist.gov/vuln/detail/CVE-2021-31810
• https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/
• https://access.redhat.com/security/cve/CVE-2021-32066
• https://www.cve.org/CVERecord?id=CVE-2021-32066
• https://nvd.nist.gov/vuln/detail/CVE-2021-32066
• https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/