Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1110.3 Ruby: Heap exposure vulnerability in the socket library 22 June 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Ruby Publisher: Ruby Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Create Arbitrary Files -- Remote/Unauthenticated Access Confidential Data -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2020-10933 CVE-2020-10663 Original Bulletin: https://www.ruby-lang.org/en/news/2020/03/31/heap-exposure-in-socket-cve-2020-10933/ https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-4-10-released/ https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-5-8-released/ https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-6-6-released/ https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-7-1-released/ Comment: This bulletin contains five (5) Ruby security advisories. Revision History: June 22 2021: Replaced CVE-2020-16255 with CVE-2020-10663 as per Vendor update January 19 2021: Vendor updated CVE for Ruby 2.4.10 Released bulletin April 1 2020: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- CVE-2020-10933: Heap exposure vulnerability in the socket library Posted by mame on 31 Mar 2020 A heap exposure vulnerability was discovered in the socket library. This vulnerability has been assigned the CVE identifier CVE-2020-10933 . We strongly recommend upgrading Ruby. Details When BasicSocket#recv_nonblock and BasicSocket#read_nonblock are invoked with size and buffer arguments, they initially resize the buffer to the specified size. In cases where the operation would block, they return without copying any data. Thus, the buffer string will now include arbitrary data from the heap. This may expose possibly sensitive data from the interpreter. This issue is exploitable only on Linux. This issue had been since Ruby 2.5.0; 2.4 series is not vulnerable. Affected versions o Ruby 2.5 series: 2.5.7 and earlier o Ruby 2.6 series: 2.6.5 and earlier o Ruby 2.7 series: 2.7.0 o prior to master revision 61b7f86248bd121be2e83768be71ef289e8e5b90 Credits Thanks to Samuel Williams for discovering this issue. History o Originally published at 2020-03-31 15:00:00 (UTC) - -------------------------------------------------------------------------------- Ruby 2.4.10 Released Posted by usa on 31 Mar 2020 Ruby 2.4.10 has been released. This release includes a security fix. Please check the topics below for details. o CVE-2020-10663: Unsafe Object Creation Vulnerability in JSON (Additional fix) Ruby 2.4 is now under the state of the security maintenance phase, until the end of March of 2020. After that date, maintenance of Ruby 2.4 will be ended. Thus, this release would be the last of Ruby 2.4 series. We recommend you immediately upgrade Ruby to newer versions, such as 2.7 or 2.6 or 2.5. Download o https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.10.tar.bz2 SIZE: 12513799 SHA1: 96737b609f4a82f8696669a17017a46f3bd07549 SHA256: 6ea3ce7fd0064524ae06dbdcd99741c990901dfc9c66d8139a02f907d30b95a8 SHA512: 4d730d2d7cb96b002167ee358258f2620862a5a6d8627cfa5b49bd43c6e59c50c0f437b959d4689b231d57706ec7d5910d9b144f4ca1c1ed56bc879ed92e8a59 o https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.10.tar.gz SIZE: 14133414 SHA1: 3140909df03941865012a247969f355cb17e5cde SHA256: 93d06711795bfb76dbe7e765e82cdff3ddf9d82eff2a1f24dead9bb506eaf2d0 SHA512: dfbe2a28b1a2d458dfc8d4287fbe7caec70890dfecf1e12ac62cddd323d8921ca14a0479453e3691641e3d49366de2e4eb239029c46685234b8f29ac84e1da11 o https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.10.tar.xz SIZE: 10100664 SHA1: 757707eaf3d013f17d63717b0b00dfde7ef6684e SHA256: d5668ed11544db034f70aec37d11e157538d639ed0d0a968e2f587191fc530df SHA512: 11c7a9ea1353f752763b189815ac34674cc8ebf7141517838b7f040823e892780d94ec3091c1f5d1415f9bc1b838b7f6f9de13a706df7bef80ce3b146a7d6660 o https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.10.zip SIZE: 15774586 SHA1: 38568a192e042fdd93cd9ba0cdae1de3b299b0b5 SHA256: 3babcf264a22b52951974ed4c5232c3fe14f2ada72daad47bf8b73639a7eec50 SHA512: 7dbc14d8d548848a8f6d6a6fa84fd514386df86b5e3f0613cdb6d1dd68740b934052f71eee63e0a2fd5cdc7f4acf20ae8ef6219f8e3d7d0c476bb6f411bb6320 Release Comment Thanks to everyone who helped with this release, especially, to reporters of the vulnerability. - -------------------------------------------------------------------------------- Ruby 2.5.8 Released Posted by usa on 31 Mar 2020 Ruby 2.5.8 has been released. This release includes security fixes. Please check the topics below for details. o CVE-2020-10663: Unsafe Object Creation Vulnerability in JSON (Additional fix) o CVE-2020-10933: Heap exposure vulnerability in the socket library See the commit logs for details. Download o https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.8.tar.bz2 SIZE: 13801410 SHA1: 823b6b009a6e44fef27d2dacb069067fe355d5d8 SHA256: 41fc93731ad3f3aa597d657f77ed68fa86b5e93c04dfbf7e542a8780702233f0 SHA512: 037a5a0510d50b4da85f081d934b07bd6e1c9b5a1ab9b069b3d6eb131ee811351cf02b61988dda7d7aa248aec91612a58d00929d342f0b19ddd7302712caec58 o https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.8.tar.gz SIZE: 15682927 SHA1: 71e7b22d1dfa32d3df0bfeec48237b28a53bc04f SHA256: 6c0bdf07876c69811a9e7dc237c43d40b1cb6369f68e0e17953d7279b524ad9a SHA512: ec8bf18b5ef8bf14a568dfb50cbddcc4bb13241f07b0de969e7b60cc261fb4e08fefeb5236bcf620bc690af112a9ab7f7c89f5b8a03fd3430e58804227b5041f o https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.8.tar.xz SIZE: 11298404 SHA1: d5ef8e8f28c098e6b7ea24924e0b0fee6e2f766c SHA256: 0391b2ffad3133e274469f9953ebfd0c9f7c186238968cbdeeb0651aa02a4d6d SHA512: 2886be764a454425c5beef2777c64a70ee0d048b07896b327633d904f5077fea4299526689f9e2ac4dcd2fc4811cf9a6c8ce75367ed35d29dfe1a54222872e0d o https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.8.zip SIZE: 19060404 SHA1: 623786f2b30e61f0e78e2b0bb2d98f0f029dc305 SHA256: 69d97164f12f85cef34ef9d2eac0f3fd40400bffb29ddd58193225bd23220ae2 SHA512: 6a02ff090d2463fdb8cb9f4f072cc7d14d467731bf2eb28780fe714176e5abb3a169b6d007f76bd1c7e86517d11e93edea6a9e76d1a0ba97c7ac60dc5b235bdc Release Comment Thanks to everyone who helped with this release, especially, to reporters of the vulnerability. - -------------------------------------------------------------------------------- Ruby 2.6.6 Released Posted by nagachika on 31 Mar 2020 Ruby 2.6.6 has been released. This release includes security fixes. Please check the topics below for details. o CVE-2020-10663: Unsafe Object Creation Vulnerability in JSON (Additional fix) o CVE-2020-10933: Heap exposure vulnerability in the socket library See the commit logs for details. Download o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.6.tar.bz2 SIZE: 14137163 SHA1: 62adcc4c465a8790b3df87860551e7ad7d84f23d SHA256: f08b779079ecd1498e6a2548c39a86144c6c784dcec6f7e8a93208682eb8306e SHA512: 001851cf55c4529287ca7cc132afc8c7af4293cdef71feb1922da4901ece255ec453d7697b102a9a90aef2a048fe3d09017ea9378ab4a4df998c21ec3890cdbb o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.6.tar.gz SIZE: 16180408 SHA1: 2d78048e293817f38d4ede4ebc7873013e97bb0b SHA256: 364b143def360bac1b74eb56ed60b1a0dca6439b00157ae11ff77d5cd2e92291 SHA512: 7c54aad974d13c140df0a7209cc111dada10ad402126271051222adb7f2b5053997353367f2cddf6c0336f67357f831aeab9f236851153c0db0d2014bf3e0614 o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.6.tar.xz SIZE: 11567284 SHA1: 4dc8d4f7abc1d498b7bac68e82efc01a849f300f SHA256: 5db187882b7ac34016cd48d7032e197f07e4968f406b0690e20193b9b424841f SHA512: 86caf93dbf61d03781767ab5375a7edf4761f13ba08ccfefe16c0a7550499237e7390c2f72a95d42670d4fe76b2401b4218936187c62ec1572799e9e04c50d62 o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.6.zip SIZE: 19847926 SHA1: 7fca2388cf9732163c005c1c7866368708305042 SHA256: 0899af033c477c0eafeafd59925ce1165a651af6690c5812931d821b4a048d14 SHA512: 25a8142c2d208705c4ec744ba4a65aa32b6de510cc6b716ab271ff12ec84430a34fac19ef2818570fd175ab76727506f683fa4d389842dcbb1069e732cf4fee3 Release Comment Many committers, developers, and users who provided bug reports helped us make this release. Thanks for their contributions. - -------------------------------------------------------------------------------- Ruby 2.7.1 Released Posted by naruse on 31 Mar 2020 Ruby 2.7.1 has been released. This release includes security fixes. Please check the topics below for details. o CVE-2020-10663: Unsafe Object Creation Vulnerability in JSON (Additional fix) o CVE-2020-10933: Heap exposure vulnerability in the socket library See the commit logs for details. Download o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.1.tar.bz2 SIZE: 14684616 SHA1: e83a084a4329e1e3f55591bf5ac0c8ebed6444b3 SHA256: d703d58a67e7ed822d6e4a6ea9e44255f689a5b6ea6752d17e8d031849822202 SHA512: 4af568f5210379239531dbc54d35739f6ff7ab1d7ffcafc54fed2afeb2b30450d2df386504edf96a494465b3f5fd90cb030974668aa7a1fde5a6b042ea9ca858 o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.1.tar.gz SIZE: 16816471 SHA1: 76e25fce50a87f76a3ccd6d0fdd9b7c792400249 SHA256: d418483bdd0000576c1370571121a6eb24582116db0b7bb2005e90e250eae418 SHA512: d54ec78d46644269a200cc64c84beed1baaea74189e0ffc167f90f4b9540bb6d9e7b19807c0990e1b13738b83d1e2bb4c712396d033db6a7501e6046fff12839 o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.1.tar.xz SIZE: 12003684 SHA1: 6c92300d7fd3e9cbb433e5e687535dc5300848eb SHA256: b224f9844646cc92765df8288a46838511c1cec5b550d8874bd4686a904fcee7 SHA512: 79f98b1ea98e0b10ec79da1883e8fc84d48ffe5c09ae945cbebde94365e35a589d919aac965f74d70ca7e21370ecee631ac5a8f9c4eac61d62f5aa629f27bf31 o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.1.zip SIZE: 20591655 SHA1: 8b0e887d47b54154fe856b61617d3e3d5c5adda7 SHA256: de8d2aa018016428bd30eab430aaa5e22428c2a897865285c53907bb53d55b13 SHA512: f5fafae966ca4cf96737d28ffd261dee7a1b76ab9d219af5eef34c88f6e958ca62777de322b4c7acea6523279d8e8483a0a2d82db0beb25c2bb2387ce6f3ee76 Release Comment Many committers, developers, and users who provided bug reports helped us make this release. Thanks for their contributions. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYNGBseNLKJtyKPYoAQjthA/+KXcAPVrj5F07e69OTooNwhyC5ZHid0f5 60P+ybtzA9n6cLKc0XjCJZOcI3Ut6EHgzgGlZJc+qvEpv6ykL3IBAwXpNcC9lean kY4xbmicera3wUjhrhiq1OC5QwjQB0QYSImVrjKTgPD2rhmVYp7mVzm5ScncCeyK seaKp86E3a6uxheM0AbiFwwmQhS5yQUx+YjTRb+eE2RiEBOOtMwahIQASIxEzeW5 sFG0nJw9ltd5sI5JjUoKRa+MM3ddE8CWnEEGGE1ezeaaYtqJi3bKU3bklUIzfHSV CI0QZekA1cGGMW5DLcedTpgG3dJ8aLcVq+ucIDgxR+lhLpwsoxlAJDBrZuXym3Hl oKTEObqiNdfLMu/P8j7f2O+kixVgIwuARblxudFm+C4sY2egpkTAqUiCmdXl9pMo s4lkVSpH0t36SLWJ/f9TrhhuQnzqIaVbS6hDlPocTwol556+PF1xoO56noU5ZXSX c4i7m/SaoQSlAQuxUH8g4ijyNjYpFw/CQ8awxfu1HFXnpErV+kr8odJvjZpXgsYI dSl1JshLn/850HH+xXH4H1Ilb5EGkV7wp0KrRhXNdf9jKmZejAtr3SPR2oDpkCeI ByAzETaL0avKgusc3vB2ub1Wd/WOnu2qRIAQdqKOMLyB827AXf2FV2+6iX6GjhVQ 8Usk7/AqCS4= =X9g/ -----END PGP SIGNATURE-----