suse-su-2022:15034-1
Vulnerability from csaf_suse
Published
2022-09-06 11:58
Modified
2022-09-06 11:58
Summary
Security update for ruby
Notes
Title of the patch
Security update for ruby
Description of the patch
This update for ruby fixes the following issues:
- CVE-2018-16395: Fixed an issue where two x509 certificates could be
considered to be equal when this was not the case (bsc#1112530).
- CVE-2021-32066: Fixed an issue where the IMAP client API would not
report a failure when StartTLS failed, leading to potential man in
the middle attacks (bsc#1188160).
- CVE-2021-31810: Fixed an issue where the FTP client API would trust
certain responses from a malicious server, tricking the client into
connecting to addresses not (bsc#1188161).
Patchnames
slewyst13-ruby-15034
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for ruby",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for ruby fixes the following issues:\n\n- CVE-2018-16395: Fixed an issue where two x509 certificates could be\n considered to be equal when this was not the case (bsc#1112530).\n- CVE-2021-32066: Fixed an issue where the IMAP client API would not\n report a failure when StartTLS failed, leading to potential man in\n the middle attacks (bsc#1188160).\n- CVE-2021-31810: Fixed an issue where the FTP client API would trust\n certain responses from a malicious server, tricking the client into\n connecting to addresses not (bsc#1188161).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "slewyst13-ruby-15034",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2022_15034-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2022:15034-1",
"url": "https://www.suse.com/support/update/announcement/2022/suse-su-202215034-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2022:15034-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2022-September/012115.html"
},
{
"category": "self",
"summary": "SUSE Bug 1112530",
"url": "https://bugzilla.suse.com/1112530"
},
{
"category": "self",
"summary": "SUSE Bug 1188160",
"url": "https://bugzilla.suse.com/1188160"
},
{
"category": "self",
"summary": "SUSE Bug 1188161",
"url": "https://bugzilla.suse.com/1188161"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16395 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16395/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-31810 page",
"url": "https://www.suse.com/security/cve/CVE-2021-31810/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-32066 page",
"url": "https://www.suse.com/security/cve/CVE-2021-32066/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-81810 page",
"url": "https://www.suse.com/security/cve/CVE-2021-81810/"
}
],
"title": "Security update for ruby",
"tracking": {
"current_release_date": "2022-09-06T11:58:31Z",
"generator": {
"date": "2022-09-06T11:58:31Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2022:15034-1",
"initial_release_date": "2022-09-06T11:58:31Z",
"revision_history": [
{
"date": "2022-09-06T11:58:31Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby-devel-1.8.7.p357-0.9.20.3.1.i586",
"product": {
"name": "ruby-devel-1.8.7.p357-0.9.20.3.1.i586",
"product_id": "ruby-devel-1.8.7.p357-0.9.20.3.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby-devel-1.8.7.p357-0.9.20.3.1.ia64",
"product": {
"name": "ruby-devel-1.8.7.p357-0.9.20.3.1.ia64",
"product_id": "ruby-devel-1.8.7.p357-0.9.20.3.1.ia64"
}
}
],
"category": "architecture",
"name": "ia64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64",
"product": {
"name": "ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64",
"product_id": "ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64"
}
}
],
"category": "architecture",
"name": "ppc64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby-devel-1.8.7.p357-0.9.20.3.1.s390x",
"product": {
"name": "ruby-devel-1.8.7.p357-0.9.20.3.1.s390x",
"product_id": "ruby-devel-1.8.7.p357-0.9.20.3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64",
"product": {
"name": "ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64",
"product_id": "ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE WebYast 1.3",
"product": {
"name": "SUSE WebYast 1.3",
"product_id": "SUSE WebYast 1.3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:webyast:1.3"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby-devel-1.8.7.p357-0.9.20.3.1.i586 as component of SUSE WebYast 1.3",
"product_id": "SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.i586"
},
"product_reference": "ruby-devel-1.8.7.p357-0.9.20.3.1.i586",
"relates_to_product_reference": "SUSE WebYast 1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby-devel-1.8.7.p357-0.9.20.3.1.ia64 as component of SUSE WebYast 1.3",
"product_id": "SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ia64"
},
"product_reference": "ruby-devel-1.8.7.p357-0.9.20.3.1.ia64",
"relates_to_product_reference": "SUSE WebYast 1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64 as component of SUSE WebYast 1.3",
"product_id": "SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64"
},
"product_reference": "ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64",
"relates_to_product_reference": "SUSE WebYast 1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby-devel-1.8.7.p357-0.9.20.3.1.s390x as component of SUSE WebYast 1.3",
"product_id": "SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.s390x"
},
"product_reference": "ruby-devel-1.8.7.p357-0.9.20.3.1.s390x",
"relates_to_product_reference": "SUSE WebYast 1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64 as component of SUSE WebYast 1.3",
"product_id": "SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64"
},
"product_reference": "ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64",
"relates_to_product_reference": "SUSE WebYast 1.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-16395",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16395"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.i586",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ia64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.s390x",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16395",
"url": "https://www.suse.com/security/cve/CVE-2018-16395"
},
{
"category": "external",
"summary": "SUSE Bug 1112530 for CVE-2018-16395",
"url": "https://bugzilla.suse.com/1112530"
},
{
"category": "external",
"summary": "SUSE Bug 1136906 for CVE-2018-16395",
"url": "https://bugzilla.suse.com/1136906"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.i586",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ia64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.s390x",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.i586",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ia64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.s390x",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-09-06T11:58:31Z",
"details": "moderate"
}
],
"title": "CVE-2018-16395"
},
{
"cve": "CVE-2021-31810",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-31810"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.i586",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ia64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.s390x",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-31810",
"url": "https://www.suse.com/security/cve/CVE-2021-31810"
},
{
"category": "external",
"summary": "SUSE Bug 1188161 for CVE-2021-31810",
"url": "https://bugzilla.suse.com/1188161"
},
{
"category": "external",
"summary": "SUSE Bug 1193383 for CVE-2021-31810",
"url": "https://bugzilla.suse.com/1193383"
},
{
"category": "external",
"summary": "SUSE Bug 1205053 for CVE-2021-31810",
"url": "https://bugzilla.suse.com/1205053"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.i586",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ia64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.s390x",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.i586",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ia64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.s390x",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-09-06T11:58:31Z",
"details": "important"
}
],
"title": "CVE-2021-31810"
},
{
"cve": "CVE-2021-32066",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-32066"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.i586",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ia64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.s390x",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-32066",
"url": "https://www.suse.com/security/cve/CVE-2021-32066"
},
{
"category": "external",
"summary": "SUSE Bug 1188160 for CVE-2021-32066",
"url": "https://bugzilla.suse.com/1188160"
},
{
"category": "external",
"summary": "SUSE Bug 1196771 for CVE-2021-32066",
"url": "https://bugzilla.suse.com/1196771"
},
{
"category": "external",
"summary": "SUSE Bug 1205053 for CVE-2021-32066",
"url": "https://bugzilla.suse.com/1205053"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.i586",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ia64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.s390x",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.i586",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ia64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.s390x",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-09-06T11:58:31Z",
"details": "important"
}
],
"title": "CVE-2021-32066"
},
{
"cve": "CVE-2021-81810",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-81810"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.i586",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ia64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.s390x",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-81810",
"url": "https://www.suse.com/security/cve/CVE-2021-81810"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.i586",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ia64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.s390x",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-09-06T11:58:31Z",
"details": "important"
}
],
"title": "CVE-2021-81810"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…