SUSE-SU-2020:1570-1
Vulnerability Summary
Timeline
Description
Security update for ruby2.1 This update for ruby2.1 fixes the following issues: Security issues fixed: - CVE-2015-9096: Fixed an SMTP command injection via CRLFsequences in a RCPT TO or MAIL FROM command (bsc#1043983). - CVE-2016-7798: Fixed an IV Reuse in GCM Mode (bsc#1055265). - CVE-2017-0898: Fixed a buffer underrun vulnerability in Kernel.sprintf (bsc#1058755). - CVE-2017-0899: Fixed an issue with malicious gem specifications, insufficient sanitation when printing gem specifications could have included terminal characters (bsc#1056286). - CVE-2017-0900: Fixed an issue with malicious gem specifications, the query command could have led to a denial of service attack against clients (bsc#1056286). - CVE-2017-0901: Fixed an issue with malicious gem specifications, potentially overwriting arbitrary files on the client system (bsc#1056286). - CVE-2017-0902: Fixed an issue with malicious gem specifications, that could have enabled MITM attacks against clients (bsc#1056286). - CVE-2017-0903: Fixed an unsafe object deserialization vulnerability (bsc#1062452). - CVE-2017-9228: Fixed a heap out-of-bounds write in bitset_set_range() during regex compilation (bsc#1069607). - CVE-2017-9229: Fixed an invalid pointer dereference in left_adjust_char_head() in oniguruma (bsc#1069632). - CVE-2017-10784: Fixed an escape sequence injection vulnerability in the Basic authentication of WEBrick (bsc#1058754). - CVE-2017-14033: Fixed a buffer underrun vulnerability in OpenSSL ASN1 decode (bsc#1058757). - CVE-2017-14064: Fixed an arbitrary memory exposure during a JSON.generate call (bsc#1056782). - CVE-2017-17405: Fixed a command injection vulnerability in Net::FTP (bsc#1073002). - CVE-2017-17742: Fixed an HTTP response splitting issue in WEBrick (bsc#1087434). - CVE-2017-17790: Fixed a command injection in lib/resolv.rb:lazy_initialize() (bsc#1078782). - CVE-2018-6914: Fixed an unintentional file and directory creation with directory traversal in tempfile and tmpdir (bsc#1087441). - CVE-2018-8777: Fixed a potential DoS caused by large requests in WEBrick (bsc#1087436). - CVE-2018-8778: Fixed a buffer under-read in String#unpack (bsc#1087433). - CVE-2018-8779: Fixed an unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket (bsc#1087440). - CVE-2018-8780: Fixed an unintentional directory traversal by poisoned NUL byte in Dir (bsc#1087437). - CVE-2018-16395: Fixed an issue with OpenSSL::X509::Name equality checking (bsc#1112530). - CVE-2018-16396: Fixed an issue with tainted string handling, where the flag was not propagated in Array#pack and String#unpack with some directives (bsc#1112532). - CVE-2018-1000073: Fixed a path traversal issue (bsc#1082007). - CVE-2018-1000074: Fixed an unsafe object deserialization vulnerability in gem owner, allowing arbitrary code execution with specially crafted YAML (bsc#1082008). - CVE-2018-1000075: Fixed an infinite loop vulnerability due to negative size in tar header causes Denial of Service (bsc#1082014). - CVE-2018-1000076: Fixed an improper verification of signatures in tarballs (bsc#1082009). - CVE-2018-1000077: Fixed an improper URL validation in the homepage attribute of ruby gems (bsc#1082010). - CVE-2018-1000078: Fixed a XSS vulnerability in the homepage attribute when displayed via gem server (bsc#1082011). - CVE-2018-1000079: Fixed a path traversal issue during gem installation allows to write to arbitrary filesystem locations (bsc#1082058). - CVE-2019-8320: Fixed a directory traversal issue when decompressing tar files (bsc#1130627). - CVE-2019-8321: Fixed an escape sequence injection vulnerability in verbose (bsc#1130623). - CVE-2019-8322: Fixed an escape sequence injection vulnerability in gem owner (bsc#1130622). - CVE-2019-8323: Fixed an escape sequence injection vulnerability in API response handling (bsc#1130620). - CVE-2019-8324: Fixed an issue with malicious gems that may have led to arbitrary code execution (bsc#1130617). - CVE-2019-8325: Fixed an escape sequence injection vulnerability in errors (bsc#1130611). - CVE-2019-15845: Fixed a NUL injection vulnerability in File.fnmatch and File.fnmatch? (bsc#1152994). - CVE-2019-16201: Fixed a regular expression denial of service vulnerability in WEBrick's digest access authentication (bsc#1152995). - CVE-2019-16254: Fixed an HTTP response splitting vulnerability in WEBrick (bsc#1152992). - CVE-2019-16255: Fixed a code injection vulnerability in Shell#[] and Shell#test (bsc#1152990). - CVE-2020-10663: Fixed an unsafe object creation vulnerability in JSON (bsc#1171517). Non-security issue fixed: - Add conflicts to libruby to make sure ruby and ruby-stdlib are also updated when libruby is updated (bsc#1048072). Also yast2-ruby-bindings on SLES 12 SP2 LTSS was updated to handle the updated ruby interpreter. (bsc#1172275)
Affected Systems
- suse•ruby2.1&distro=HPE Helion OpenStack 8
< 2.1.9-19.3.2
- suse•ruby2.1&distro=SUSE Enterprise Storage 5
< 2.1.9-19.3.2
- suse•ruby2.1&distro=SUSE Linux Enterprise Server 12 SP2-BCL
< 2.1.9-19.3.2
- suse•ruby2.1&distro=SUSE Linux Enterprise Server 12 SP2-LTSS
< 2.1.9-19.3.2
- suse•ruby2.1&distro=SUSE Linux Enterprise Server 12 SP3-BCL
< 2.1.9-19.3.2
- suse•ruby2.1&distro=SUSE Linux Enterprise Server 12 SP3-LTSS
< 2.1.9-19.3.2
- suse•ruby2.1&distro=SUSE Linux Enterprise Server 12 SP4
< 2.1.9-19.3.2
- suse•ruby2.1&distro=SUSE Linux Enterprise Server 12 SP5
< 2.1.9-19.3.2
- suse•ruby2.1&distro=SUSE Linux Enterprise Server for SAP Applications 12 SP2
< 2.1.9-19.3.2
- suse•ruby2.1&distro=SUSE Linux Enterprise Server for SAP Applications 12 SP3
< 2.1.9-19.3.2
- suse•ruby2.1&distro=SUSE Linux Enterprise Server for SAP Applications 12 SP4
< 2.1.9-19.3.2
- suse•ruby2.1&distro=SUSE Linux Enterprise Server for SAP Applications 12 SP5
< 2.1.9-19.3.2
- suse•ruby2.1&distro=SUSE Linux Enterprise Software Development Kit 12 SP4
< 2.1.9-19.3.2
- suse•ruby2.1&distro=SUSE Linux Enterprise Software Development Kit 12 SP5
< 2.1.9-19.3.2
- suse•ruby2.1&distro=SUSE OpenStack Cloud 7
< 2.1.9-19.3.2
- suse•ruby2.1&distro=SUSE OpenStack Cloud 8
< 2.1.9-19.3.2
- suse•ruby2.1&distro=SUSE OpenStack Cloud Crowbar 8
< 2.1.9-19.3.2
- suse•yast2-ruby-bindings&distro=SUSE Linux Enterprise Server 12 SP2-BCL
< 3.1.53-9.8.1
- suse•yast2-ruby-bindings&distro=SUSE Linux Enterprise Server 12 SP2-LTSS
< 3.1.53-9.8.1
- suse•yast2-ruby-bindings&distro=SUSE Linux Enterprise Server for SAP Applications 12 SP2
< 3.1.53-9.8.1
- suse•yast2-ruby-bindings&distro=SUSE OpenStack Cloud 7
< 3.1.53-9.8.1
References (83)
- https://www.suse.com/support/update/announcement/2020/suse-su-20201570-1/
- https://bugzilla.suse.com/1043983
- https://bugzilla.suse.com/1048072
- https://bugzilla.suse.com/1055265
- https://bugzilla.suse.com/1056286
- https://bugzilla.suse.com/1056782
- https://bugzilla.suse.com/1058754
- https://bugzilla.suse.com/1058755
- https://bugzilla.suse.com/1058757
- https://bugzilla.suse.com/1062452
- https://bugzilla.suse.com/1069607
- https://bugzilla.suse.com/1069632
- https://bugzilla.suse.com/1073002
- https://bugzilla.suse.com/1078782
- https://bugzilla.suse.com/1082007
- https://bugzilla.suse.com/1082008
- https://bugzilla.suse.com/1082009
- https://bugzilla.suse.com/1082010
- https://bugzilla.suse.com/1082011
- https://bugzilla.suse.com/1082014
- https://bugzilla.suse.com/1082058
- https://bugzilla.suse.com/1087433
- https://bugzilla.suse.com/1087434
- https://bugzilla.suse.com/1087436
- https://bugzilla.suse.com/1087437
- https://bugzilla.suse.com/1087440
- https://bugzilla.suse.com/1087441
- https://bugzilla.suse.com/1112530
- https://bugzilla.suse.com/1112532
- https://bugzilla.suse.com/1130611
- https://bugzilla.suse.com/1130617
- https://bugzilla.suse.com/1130620
- https://bugzilla.suse.com/1130622
- https://bugzilla.suse.com/1130623
- https://bugzilla.suse.com/1130627
- https://bugzilla.suse.com/1152990
- https://bugzilla.suse.com/1152992
- https://bugzilla.suse.com/1152994
- https://bugzilla.suse.com/1152995
- https://bugzilla.suse.com/1171517
- https://bugzilla.suse.com/1172275
- https://www.suse.com/security/cve/CVE-2015-9096
- https://www.suse.com/security/cve/CVE-2016-2339
- https://www.suse.com/security/cve/CVE-2016-7798
- https://www.suse.com/security/cve/CVE-2017-0898
- https://www.suse.com/security/cve/CVE-2017-0899
- https://www.suse.com/security/cve/CVE-2017-0900
- https://www.suse.com/security/cve/CVE-2017-0901
- https://www.suse.com/security/cve/CVE-2017-0902
- https://www.suse.com/security/cve/CVE-2017-0903
- https://www.suse.com/security/cve/CVE-2017-10784
- https://www.suse.com/security/cve/CVE-2017-14033
- https://www.suse.com/security/cve/CVE-2017-14064
- https://www.suse.com/security/cve/CVE-2017-17405
- https://www.suse.com/security/cve/CVE-2017-17742
- https://www.suse.com/security/cve/CVE-2017-17790
- https://www.suse.com/security/cve/CVE-2017-9228
- https://www.suse.com/security/cve/CVE-2017-9229
- https://www.suse.com/security/cve/CVE-2018-1000073
- https://www.suse.com/security/cve/CVE-2018-1000074
- https://www.suse.com/security/cve/CVE-2018-1000075
- https://www.suse.com/security/cve/CVE-2018-1000076
- https://www.suse.com/security/cve/CVE-2018-1000077
- https://www.suse.com/security/cve/CVE-2018-1000078
- https://www.suse.com/security/cve/CVE-2018-1000079
- https://www.suse.com/security/cve/CVE-2018-16395
- https://www.suse.com/security/cve/CVE-2018-16396
- https://www.suse.com/security/cve/CVE-2018-6914
- https://www.suse.com/security/cve/CVE-2018-8777
- https://www.suse.com/security/cve/CVE-2018-8778
- https://www.suse.com/security/cve/CVE-2018-8779
- https://www.suse.com/security/cve/CVE-2018-8780
- https://www.suse.com/security/cve/CVE-2019-15845
- https://www.suse.com/security/cve/CVE-2019-16201
- https://www.suse.com/security/cve/CVE-2019-16254
- https://www.suse.com/security/cve/CVE-2019-16255
- https://www.suse.com/security/cve/CVE-2019-8320
- https://www.suse.com/security/cve/CVE-2019-8321
- https://www.suse.com/security/cve/CVE-2019-8322
- https://www.suse.com/security/cve/CVE-2019-8323
- https://www.suse.com/security/cve/CVE-2019-8324
- https://www.suse.com/security/cve/CVE-2019-8325
- https://www.suse.com/security/cve/CVE-2020-10663