-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: rh-ruby27-ruby security, bug fix, and enhancement update Advisory ID: RHSA-2023:3291-01 Product: Red Hat Software Collections Advisory URL: https://access.redhat.com/errata/RHSA-2023:3291 Issue date: 2023-05-24 CVE Names: CVE-2021-33621 CVE-2023-28755 CVE-2023-28756 ===================================================================== 1. Summary: An update for rh-ruby27-ruby is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for RHEL Workstation(v. 7) - noarch, ppc64le, s390x, x86_64 Red Hat Software Collections for RHEL(v. 7) - noarch, x86_64 3. Description: Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. The following packages have been upgraded to a later upstream version: rh-ruby27-ruby (2.7.8). (BZ#2149267) Security Fix(es): * ruby/cgi-gem: HTTP response splitting in CGI (CVE-2021-33621) * ruby: ReDoS vulnerability in URI (CVE-2023-28755) * ruby: ReDoS vulnerability in Time (CVE-2023-28756) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2149267 - rh-ruby27-ruby: Rebase to the latest Ruby 2.7 release [rhscl-3] 2149706 - CVE-2021-33621 ruby/cgi-gem: HTTP response splitting in CGI 2184059 - CVE-2023-28755 ruby: ReDoS vulnerability in URI 2184061 - CVE-2023-28756 ruby: ReDoS vulnerability in Time 6. Package List: Red Hat Software Collections for RHEL Workstation(v. 7): Source: rh-ruby27-ruby-2.7.8-132.el7.src.rpm noarch: rh-ruby27-ruby-doc-2.7.8-132.el7.noarch.rpm rh-ruby27-rubygem-bundler-2.2.24-132.el7.noarch.rpm rh-ruby27-rubygem-did_you_mean-1.4.0-132.el7.noarch.rpm rh-ruby27-rubygem-irb-1.2.6-132.el7.noarch.rpm rh-ruby27-rubygem-minitest-5.13.0-132.el7.noarch.rpm rh-ruby27-rubygem-net-telnet-0.2.0-132.el7.noarch.rpm rh-ruby27-rubygem-power_assert-1.1.7-132.el7.noarch.rpm rh-ruby27-rubygem-rake-13.0.1-132.el7.noarch.rpm rh-ruby27-rubygem-rdoc-6.2.1.1-132.el7.noarch.rpm rh-ruby27-rubygem-test-unit-3.3.4-132.el7.noarch.rpm rh-ruby27-rubygem-xmlrpc-0.3.0-132.el7.noarch.rpm rh-ruby27-rubygems-3.1.6-132.el7.noarch.rpm rh-ruby27-rubygems-devel-3.1.6-132.el7.noarch.rpm ppc64le: rh-ruby27-ruby-2.7.8-132.el7.ppc64le.rpm rh-ruby27-ruby-debuginfo-2.7.8-132.el7.ppc64le.rpm rh-ruby27-ruby-devel-2.7.8-132.el7.ppc64le.rpm rh-ruby27-ruby-libs-2.7.8-132.el7.ppc64le.rpm rh-ruby27-rubygem-bigdecimal-2.0.0-132.el7.ppc64le.rpm rh-ruby27-rubygem-io-console-0.5.6-132.el7.ppc64le.rpm rh-ruby27-rubygem-json-2.3.0-132.el7.ppc64le.rpm rh-ruby27-rubygem-openssl-2.1.4-132.el7.ppc64le.rpm rh-ruby27-rubygem-psych-3.1.0-132.el7.ppc64le.rpm rh-ruby27-rubygem-racc-1.4.16-132.el7.ppc64le.rpm s390x: rh-ruby27-ruby-2.7.8-132.el7.s390x.rpm rh-ruby27-ruby-debuginfo-2.7.8-132.el7.s390x.rpm rh-ruby27-ruby-devel-2.7.8-132.el7.s390x.rpm rh-ruby27-ruby-libs-2.7.8-132.el7.s390x.rpm rh-ruby27-rubygem-bigdecimal-2.0.0-132.el7.s390x.rpm rh-ruby27-rubygem-io-console-0.5.6-132.el7.s390x.rpm rh-ruby27-rubygem-json-2.3.0-132.el7.s390x.rpm rh-ruby27-rubygem-openssl-2.1.4-132.el7.s390x.rpm rh-ruby27-rubygem-psych-3.1.0-132.el7.s390x.rpm rh-ruby27-rubygem-racc-1.4.16-132.el7.s390x.rpm x86_64: rh-ruby27-ruby-2.7.8-132.el7.x86_64.rpm rh-ruby27-ruby-debuginfo-2.7.8-132.el7.x86_64.rpm rh-ruby27-ruby-devel-2.7.8-132.el7.x86_64.rpm rh-ruby27-ruby-libs-2.7.8-132.el7.x86_64.rpm rh-ruby27-rubygem-bigdecimal-2.0.0-132.el7.x86_64.rpm rh-ruby27-rubygem-io-console-0.5.6-132.el7.x86_64.rpm rh-ruby27-rubygem-json-2.3.0-132.el7.x86_64.rpm rh-ruby27-rubygem-openssl-2.1.4-132.el7.x86_64.rpm rh-ruby27-rubygem-psych-3.1.0-132.el7.x86_64.rpm rh-ruby27-rubygem-racc-1.4.16-132.el7.x86_64.rpm Red Hat Software Collections for RHEL(v. 7): Source: rh-ruby27-ruby-2.7.8-132.el7.src.rpm noarch: rh-ruby27-ruby-doc-2.7.8-132.el7.noarch.rpm rh-ruby27-rubygem-bundler-2.2.24-132.el7.noarch.rpm rh-ruby27-rubygem-did_you_mean-1.4.0-132.el7.noarch.rpm rh-ruby27-rubygem-irb-1.2.6-132.el7.noarch.rpm rh-ruby27-rubygem-minitest-5.13.0-132.el7.noarch.rpm rh-ruby27-rubygem-net-telnet-0.2.0-132.el7.noarch.rpm rh-ruby27-rubygem-power_assert-1.1.7-132.el7.noarch.rpm rh-ruby27-rubygem-rake-13.0.1-132.el7.noarch.rpm rh-ruby27-rubygem-rdoc-6.2.1.1-132.el7.noarch.rpm rh-ruby27-rubygem-test-unit-3.3.4-132.el7.noarch.rpm rh-ruby27-rubygem-xmlrpc-0.3.0-132.el7.noarch.rpm rh-ruby27-rubygems-3.1.6-132.el7.noarch.rpm rh-ruby27-rubygems-devel-3.1.6-132.el7.noarch.rpm x86_64: rh-ruby27-ruby-2.7.8-132.el7.x86_64.rpm rh-ruby27-ruby-debuginfo-2.7.8-132.el7.x86_64.rpm rh-ruby27-ruby-devel-2.7.8-132.el7.x86_64.rpm rh-ruby27-ruby-libs-2.7.8-132.el7.x86_64.rpm rh-ruby27-rubygem-bigdecimal-2.0.0-132.el7.x86_64.rpm rh-ruby27-rubygem-io-console-0.5.6-132.el7.x86_64.rpm rh-ruby27-rubygem-json-2.3.0-132.el7.x86_64.rpm rh-ruby27-rubygem-openssl-2.1.4-132.el7.x86_64.rpm rh-ruby27-rubygem-psych-3.1.0-132.el7.x86_64.rpm rh-ruby27-rubygem-racc-1.4.16-132.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-33621 https://access.redhat.com/security/cve/CVE-2023-28755 https://access.redhat.com/security/cve/CVE-2023-28756 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZG4b0dzjgjWX9erEAQjJrA/+NY2WHGlRLSUT6kfhPeCZILoj7TJO5FFq 0x2CbpMw4Ea2UrJ+42aGpxrhdzf+IEIC07me4VgsEVWtD/P1+QMlgczHq7upbQZv eLHMIgRKe5Wjq9mP7sQwjwctSxpc8EBmhYyV1X7XyduSm8oaqoog75eps2gMYy4l kcD50w/wUQb/l8x4hNNaB33EaHUva+wfOqFHaG82KWnn9jt3Db6DqEz9yz3T+70O Xa/KMgYsfRBN3TK/4VgHf3F2cbut3zpGBqsdtYTL3fSMjHAg+W6/wLd9n/h8Bf7K bLTYrrcfopFYa/fI1tSTFxvxGh66g3K5rWAiFI0zK3WkveZlkGNa5oaAqf6hDPeU GAS9oePIHvOkDPVI8L1+CKKxb42IQkeqtdy+Xdgcdvuld7w8XI3Z/GLhe4wzUTlb pI9RZMWPQRP4nxfZgjjxsV1pqwhhq48Y6AVxTQ5rXsRzMKlK7ucHiCrPCeCKu1U/ DQihClPyedDckWeVGg1+XlLXFo7ENP5ZzQu+0KPOCQnAWpq05Y5I9dsbNZa6RNVj QdADkyX2LW0u84nuKlfv8TtWeohkeIuMzw0LjQIyArIZVi1+fUg0NbSKw+VKEZAf XRqaQ2cEBe86IOJdgG8Od/KAxeKZ1nDpQfg2bPsdmGuhdTyIKevAX4vD+B1oyb7S b3GVrBp6+TY= =yhcL -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce