-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: rh-ruby27-ruby security update Advisory ID: RHSA-2021:3559-01 Product: Red Hat Software Collections Advisory URL: https://access.redhat.com/errata/RHSA-2021:3559 Issue date: 2021-09-20 CVE Names: CVE-2020-36327 CVE-2021-31799 CVE-2021-31810 CVE-2021-32066 ===================================================================== 1. Summary: An update for rh-ruby27-ruby is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7) - noarch, ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 3. Description: Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. The following packages have been upgraded to a later upstream version: rh-ruby27-ruby (2.7.4). Security Fix(es): * rubygem-bundler: Dependencies of gems with explicit source may be installed from a different source (CVE-2020-36327) * rubygem-rdoc: Command injection vulnerability in RDoc (CVE-2021-31799) * ruby: FTP PASV command response can cause Net::FTP to connect to arbitrary host (CVE-2021-31810) * ruby: StartTLS stripping vulnerability in Net::IMAP (CVE-2021-32066) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1958999 - CVE-2020-36327 rubygem-bundler: Dependencies of gems with explicit source may be installed from a different source 1980126 - CVE-2021-31810 ruby: FTP PASV command response can cause Net::FTP to connect to arbitrary host 1980128 - CVE-2021-32066 ruby: StartTLS stripping vulnerability in Net::IMAP 1980132 - CVE-2021-31799 rubygem-rdoc: Command injection vulnerability in RDoc 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-ruby27-ruby-2.7.4-130.el7.src.rpm noarch: rh-ruby27-ruby-doc-2.7.4-130.el7.noarch.rpm rh-ruby27-rubygem-bundler-2.2.24-130.el7.noarch.rpm rh-ruby27-rubygem-did_you_mean-1.4.0-130.el7.noarch.rpm rh-ruby27-rubygem-irb-1.2.6-130.el7.noarch.rpm rh-ruby27-rubygem-minitest-5.13.0-130.el7.noarch.rpm rh-ruby27-rubygem-net-telnet-0.2.0-130.el7.noarch.rpm rh-ruby27-rubygem-power_assert-1.1.7-130.el7.noarch.rpm rh-ruby27-rubygem-rake-13.0.1-130.el7.noarch.rpm rh-ruby27-rubygem-rdoc-6.2.1.1-130.el7.noarch.rpm rh-ruby27-rubygem-test-unit-3.3.4-130.el7.noarch.rpm rh-ruby27-rubygem-xmlrpc-0.3.0-130.el7.noarch.rpm rh-ruby27-rubygems-3.1.6-130.el7.noarch.rpm rh-ruby27-rubygems-devel-3.1.6-130.el7.noarch.rpm ppc64le: rh-ruby27-ruby-2.7.4-130.el7.ppc64le.rpm rh-ruby27-ruby-debuginfo-2.7.4-130.el7.ppc64le.rpm rh-ruby27-ruby-devel-2.7.4-130.el7.ppc64le.rpm rh-ruby27-ruby-libs-2.7.4-130.el7.ppc64le.rpm rh-ruby27-rubygem-bigdecimal-2.0.0-130.el7.ppc64le.rpm rh-ruby27-rubygem-io-console-0.5.6-130.el7.ppc64le.rpm rh-ruby27-rubygem-json-2.3.0-130.el7.ppc64le.rpm rh-ruby27-rubygem-openssl-2.1.2-130.el7.ppc64le.rpm rh-ruby27-rubygem-psych-3.1.0-130.el7.ppc64le.rpm rh-ruby27-rubygem-racc-1.4.16-130.el7.ppc64le.rpm s390x: rh-ruby27-ruby-2.7.4-130.el7.s390x.rpm rh-ruby27-ruby-debuginfo-2.7.4-130.el7.s390x.rpm rh-ruby27-ruby-devel-2.7.4-130.el7.s390x.rpm rh-ruby27-ruby-libs-2.7.4-130.el7.s390x.rpm rh-ruby27-rubygem-bigdecimal-2.0.0-130.el7.s390x.rpm rh-ruby27-rubygem-io-console-0.5.6-130.el7.s390x.rpm rh-ruby27-rubygem-json-2.3.0-130.el7.s390x.rpm rh-ruby27-rubygem-openssl-2.1.2-130.el7.s390x.rpm rh-ruby27-rubygem-psych-3.1.0-130.el7.s390x.rpm rh-ruby27-rubygem-racc-1.4.16-130.el7.s390x.rpm x86_64: rh-ruby27-ruby-2.7.4-130.el7.x86_64.rpm rh-ruby27-ruby-debuginfo-2.7.4-130.el7.x86_64.rpm rh-ruby27-ruby-devel-2.7.4-130.el7.x86_64.rpm rh-ruby27-ruby-libs-2.7.4-130.el7.x86_64.rpm rh-ruby27-rubygem-bigdecimal-2.0.0-130.el7.x86_64.rpm rh-ruby27-rubygem-io-console-0.5.6-130.el7.x86_64.rpm rh-ruby27-rubygem-json-2.3.0-130.el7.x86_64.rpm rh-ruby27-rubygem-openssl-2.1.2-130.el7.x86_64.rpm rh-ruby27-rubygem-psych-3.1.0-130.el7.x86_64.rpm rh-ruby27-rubygem-racc-1.4.16-130.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7): Source: rh-ruby27-ruby-2.7.4-130.el7.src.rpm noarch: rh-ruby27-ruby-doc-2.7.4-130.el7.noarch.rpm rh-ruby27-rubygem-bundler-2.2.24-130.el7.noarch.rpm rh-ruby27-rubygem-did_you_mean-1.4.0-130.el7.noarch.rpm rh-ruby27-rubygem-irb-1.2.6-130.el7.noarch.rpm rh-ruby27-rubygem-minitest-5.13.0-130.el7.noarch.rpm rh-ruby27-rubygem-net-telnet-0.2.0-130.el7.noarch.rpm rh-ruby27-rubygem-power_assert-1.1.7-130.el7.noarch.rpm rh-ruby27-rubygem-rake-13.0.1-130.el7.noarch.rpm rh-ruby27-rubygem-rdoc-6.2.1.1-130.el7.noarch.rpm rh-ruby27-rubygem-test-unit-3.3.4-130.el7.noarch.rpm rh-ruby27-rubygem-xmlrpc-0.3.0-130.el7.noarch.rpm rh-ruby27-rubygems-3.1.6-130.el7.noarch.rpm rh-ruby27-rubygems-devel-3.1.6-130.el7.noarch.rpm ppc64le: rh-ruby27-ruby-2.7.4-130.el7.ppc64le.rpm rh-ruby27-ruby-debuginfo-2.7.4-130.el7.ppc64le.rpm rh-ruby27-ruby-devel-2.7.4-130.el7.ppc64le.rpm rh-ruby27-ruby-libs-2.7.4-130.el7.ppc64le.rpm rh-ruby27-rubygem-bigdecimal-2.0.0-130.el7.ppc64le.rpm rh-ruby27-rubygem-io-console-0.5.6-130.el7.ppc64le.rpm rh-ruby27-rubygem-json-2.3.0-130.el7.ppc64le.rpm rh-ruby27-rubygem-openssl-2.1.2-130.el7.ppc64le.rpm rh-ruby27-rubygem-psych-3.1.0-130.el7.ppc64le.rpm rh-ruby27-rubygem-racc-1.4.16-130.el7.ppc64le.rpm s390x: rh-ruby27-ruby-2.7.4-130.el7.s390x.rpm rh-ruby27-ruby-debuginfo-2.7.4-130.el7.s390x.rpm rh-ruby27-ruby-devel-2.7.4-130.el7.s390x.rpm rh-ruby27-ruby-libs-2.7.4-130.el7.s390x.rpm rh-ruby27-rubygem-bigdecimal-2.0.0-130.el7.s390x.rpm rh-ruby27-rubygem-io-console-0.5.6-130.el7.s390x.rpm rh-ruby27-rubygem-json-2.3.0-130.el7.s390x.rpm rh-ruby27-rubygem-openssl-2.1.2-130.el7.s390x.rpm rh-ruby27-rubygem-psych-3.1.0-130.el7.s390x.rpm rh-ruby27-rubygem-racc-1.4.16-130.el7.s390x.rpm x86_64: rh-ruby27-ruby-2.7.4-130.el7.x86_64.rpm rh-ruby27-ruby-debuginfo-2.7.4-130.el7.x86_64.rpm rh-ruby27-ruby-devel-2.7.4-130.el7.x86_64.rpm rh-ruby27-ruby-libs-2.7.4-130.el7.x86_64.rpm rh-ruby27-rubygem-bigdecimal-2.0.0-130.el7.x86_64.rpm rh-ruby27-rubygem-io-console-0.5.6-130.el7.x86_64.rpm rh-ruby27-rubygem-json-2.3.0-130.el7.x86_64.rpm rh-ruby27-rubygem-openssl-2.1.2-130.el7.x86_64.rpm rh-ruby27-rubygem-psych-3.1.0-130.el7.x86_64.rpm rh-ruby27-rubygem-racc-1.4.16-130.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: rh-ruby27-ruby-2.7.4-130.el7.src.rpm noarch: rh-ruby27-ruby-doc-2.7.4-130.el7.noarch.rpm rh-ruby27-rubygem-bundler-2.2.24-130.el7.noarch.rpm rh-ruby27-rubygem-did_you_mean-1.4.0-130.el7.noarch.rpm rh-ruby27-rubygem-irb-1.2.6-130.el7.noarch.rpm rh-ruby27-rubygem-minitest-5.13.0-130.el7.noarch.rpm rh-ruby27-rubygem-net-telnet-0.2.0-130.el7.noarch.rpm rh-ruby27-rubygem-power_assert-1.1.7-130.el7.noarch.rpm rh-ruby27-rubygem-rake-13.0.1-130.el7.noarch.rpm rh-ruby27-rubygem-rdoc-6.2.1.1-130.el7.noarch.rpm rh-ruby27-rubygem-test-unit-3.3.4-130.el7.noarch.rpm rh-ruby27-rubygem-xmlrpc-0.3.0-130.el7.noarch.rpm rh-ruby27-rubygems-3.1.6-130.el7.noarch.rpm rh-ruby27-rubygems-devel-3.1.6-130.el7.noarch.rpm x86_64: rh-ruby27-ruby-2.7.4-130.el7.x86_64.rpm rh-ruby27-ruby-debuginfo-2.7.4-130.el7.x86_64.rpm rh-ruby27-ruby-devel-2.7.4-130.el7.x86_64.rpm rh-ruby27-ruby-libs-2.7.4-130.el7.x86_64.rpm rh-ruby27-rubygem-bigdecimal-2.0.0-130.el7.x86_64.rpm rh-ruby27-rubygem-io-console-0.5.6-130.el7.x86_64.rpm rh-ruby27-rubygem-json-2.3.0-130.el7.x86_64.rpm rh-ruby27-rubygem-openssl-2.1.2-130.el7.x86_64.rpm rh-ruby27-rubygem-psych-3.1.0-130.el7.x86_64.rpm rh-ruby27-rubygem-racc-1.4.16-130.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-36327 https://access.redhat.com/security/cve/CVE-2021-31799 https://access.redhat.com/security/cve/CVE-2021-31810 https://access.redhat.com/security/cve/CVE-2021-32066 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYUg/R9zjgjWX9erEAQibLA//Wjrr4iwZaImFPqllMa2Bsoa3ydeSpGjZ lfor5/WyU2Emli37CY4g7hG/Y2/Rz0gjsbNBe4tpMUTr4yPW/2FxCZY4A8aJS4mn Soo++XzRjnyhtOkpMJ0rb/DcOV4NT4q3MOUZJQM+qV7SFXZ7FmiYfBK/yxg7Mzpo uWYAKULMJpp9OtUmFXij1MsrQZ6gw4t+S7aRYMmT14HoL9bZhR03oLcU7nXmShF4 iytxVq4HoNv3RV0xmLUugMRTMswnkCAEnQQwSQ9l3UDQDi9BrDTaba8EIAh2Im8r hGDRGCsqZSuSNP4r6xAatLOPRnd8SqQVd57/iae3zgjuvAQ8/lLNi8L7fNtUrGsh TWuKoB5kO9pwt+NjtF4jXx51uK36d1PkQE1AGixPBtvviihyRyH/jJ8YDn4HMXPF MPE1tNLu7iUHbzuhkjsryHOBk60LFcRuLOGOIQbCBDLjrNuBL93BJ86AXLSwlYGV sPWs8bMXZKXm3AI66jwuwUDknDAyMuqbWE3ar1/J/qGw/FcY9QJ8UzCzWfDqgQOa gHgbEMRyQSokI0hyTVq+XPQrVoIyQAbg0g3gYCZIjduKMfn3L6Ffv+iWZiDPNMiy De7IJfEOMI/vq1CtbZIWnJGMn4ShiB6tk2GvHJO9rQtsntCNHxZaaTq1tKNMccnO 9+b8W/3+3vg= =/pZu -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce