USN-5020-1: Ruby vulnerabilities
=========================================================================
Ubuntu Security Notice USN-5020-1
July 21, 2021
ruby2.3, ruby2.5, ruby2.7 vulnerabilities
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 21.04
- Ubuntu 20.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
Summary:
Several security issues were fixed in Ruby.
Software Description:
- ruby2.7: Object-oriented scripting language
- ruby2.5: Object-oriented scripting language
- ruby2.3: Object-oriented scripting language
Details:
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2021-31799)
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could possibly use this issue to conduct
port scans and service banner extractions. This issue only affected
Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 20.10, and Ubuntu 21.04. (CVE-2021-31810)
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could possibly use this issue to perform
man-in-the-middle attackers to bypass the TLS protection.
(CVE-2021-32066)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 21.04:
libruby2.7 2.7.2-4ubuntu1.2
ruby2.7 2.7.2-4ubuntu1.2
Ubuntu 20.10:
libruby2.7 2.7.1-3ubuntu1.4
ruby2.7 2.7.1-3ubuntu1.4
Ubuntu 20.04 LTS:
libruby2.7 2.7.0-5ubuntu1.5
ruby2.7 2.7.0-5ubuntu1.5
Ubuntu 18.04 LTS:
libruby2.5 2.5.1-1ubuntu1.10
ruby2.5 2.5.1-1ubuntu1.10
Ubuntu 16.04 ESM:
libruby2.3 2.3.1-2~ubuntu16.04.16+esm1
ruby2.3 2.3.1-2~ubuntu16.04.16+esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5020-1
CVE-2021-31799, CVE-2021-31810, CVE-2021-32066
Package Information:
https://launchpad.net/ubuntu/+source/ruby2.7/2.7.2-4ubuntu1.2
https://launchpad.net/ubuntu/+source/ruby2.7/2.7.1-3ubuntu1.4
https://launchpad.net/ubuntu/+source/ruby2.7/2.7.0-5ubuntu1.5
https://launchpad.net/ubuntu/+source/ruby2.5/2.5.1-1ubuntu1.10
A Ruby security update has been released for Ubuntu Linux 16.04 ESM, 18.04 LTS, 20.04 LTS, 20.10, and 21.04.