-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2020.1110.2
          Ruby: Heap exposure vulnerability in the socket library
                              19 January 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Ruby
Publisher:         Ruby
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Create Arbitrary Files   -- Remote/Unauthenticated
                   Access Confidential Data -- Unknown/Unspecified   
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-16255 CVE-2020-10933 CVE-2020-10663

Original Bulletin: 
   https://www.ruby-lang.org/en/news/2020/03/31/heap-exposure-in-socket-cve-2020-10933/
   https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-4-10-released/
   https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-5-8-released/
   https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-6-6-released/
   https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-7-1-released/

Comment: This bulletin contains five (5) Ruby security advisories.

Revision History:  January 19 2021: Vendor updated CVE for Ruby 2.4.10 Released bulletin
                   April    1 2020: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

CVE-2020-10933: Heap exposure vulnerability in the socket library

Posted by mame on 31 Mar 2020

A heap exposure vulnerability was discovered in the socket library. This
vulnerability has been assigned the CVE identifier CVE-2020-10933 . We strongly
recommend upgrading Ruby.

Details

When BasicSocket#recv_nonblock and BasicSocket#read_nonblock are invoked with
size and buffer arguments, they initially resize the buffer to the specified
size. In cases where the operation would block, they return without copying any
data. Thus, the buffer string will now include arbitrary data from the heap.
This may expose possibly sensitive data from the interpreter.

This issue is exploitable only on Linux. This issue had been since Ruby 2.5.0;
2.4 series is not vulnerable.

Affected versions

  o Ruby 2.5 series: 2.5.7 and earlier
  o Ruby 2.6 series: 2.6.5 and earlier
  o Ruby 2.7 series: 2.7.0
  o prior to master revision 61b7f86248bd121be2e83768be71ef289e8e5b90

Credits

Thanks to Samuel Williams for discovering this issue.

History

  o Originally published at 2020-03-31 15:00:00 (UTC)

- --------------------------------------------------------------------------------

Ruby 2.4.10 Released

Posted by usa on 31 Mar 2020

Ruby 2.4.10 has been released.

This release includes a security fix. Please check the topics below for
details.

  o CVE-2020-10663: Unsafe Object Creation Vulnerability in JSON (Additional
    fix)

Ruby 2.4 is now under the state of the security maintenance phase, until the
end of March of 2020. After that date, maintenance of Ruby 2.4 will be ended.
Thus, this release would be the last of Ruby 2.4 series. We recommend you
immediately upgrade Ruby to newer versions, such as 2.7 or 2.6 or 2.5.

Download

  o https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.10.tar.bz2

    SIZE: 12513799
    SHA1: 96737b609f4a82f8696669a17017a46f3bd07549
    SHA256: 6ea3ce7fd0064524ae06dbdcd99741c990901dfc9c66d8139a02f907d30b95a8
    SHA512: 4d730d2d7cb96b002167ee358258f2620862a5a6d8627cfa5b49bd43c6e59c50c0f437b959d4689b231d57706ec7d5910d9b144f4ca1c1ed56bc879ed92e8a59

  o https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.10.tar.gz

    SIZE: 14133414
    SHA1: 3140909df03941865012a247969f355cb17e5cde
    SHA256: 93d06711795bfb76dbe7e765e82cdff3ddf9d82eff2a1f24dead9bb506eaf2d0
    SHA512: dfbe2a28b1a2d458dfc8d4287fbe7caec70890dfecf1e12ac62cddd323d8921ca14a0479453e3691641e3d49366de2e4eb239029c46685234b8f29ac84e1da11

  o https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.10.tar.xz

    SIZE: 10100664
    SHA1: 757707eaf3d013f17d63717b0b00dfde7ef6684e
    SHA256: d5668ed11544db034f70aec37d11e157538d639ed0d0a968e2f587191fc530df
    SHA512: 11c7a9ea1353f752763b189815ac34674cc8ebf7141517838b7f040823e892780d94ec3091c1f5d1415f9bc1b838b7f6f9de13a706df7bef80ce3b146a7d6660

  o https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.10.zip

    SIZE: 15774586
    SHA1: 38568a192e042fdd93cd9ba0cdae1de3b299b0b5
    SHA256: 3babcf264a22b52951974ed4c5232c3fe14f2ada72daad47bf8b73639a7eec50
    SHA512: 7dbc14d8d548848a8f6d6a6fa84fd514386df86b5e3f0613cdb6d1dd68740b934052f71eee63e0a2fd5cdc7f4acf20ae8ef6219f8e3d7d0c476bb6f411bb6320

Release Comment

Thanks to everyone who helped with this release, especially, to reporters of
the vulnerability.

- --------------------------------------------------------------------------------

Ruby 2.5.8 Released

Posted by usa on 31 Mar 2020

Ruby 2.5.8 has been released.

This release includes security fixes. Please check the topics below for
details.

  o CVE-2020-16255: Unsafe Object Creation Vulnerability in JSON (Additional
    fix)
  o CVE-2020-10933: Heap exposure vulnerability in the socket library

See the commit logs for details.

Download

  o https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.8.tar.bz2

    SIZE: 13801410
    SHA1: 823b6b009a6e44fef27d2dacb069067fe355d5d8
    SHA256: 41fc93731ad3f3aa597d657f77ed68fa86b5e93c04dfbf7e542a8780702233f0
    SHA512: 037a5a0510d50b4da85f081d934b07bd6e1c9b5a1ab9b069b3d6eb131ee811351cf02b61988dda7d7aa248aec91612a58d00929d342f0b19ddd7302712caec58

  o https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.8.tar.gz

    SIZE: 15682927
    SHA1: 71e7b22d1dfa32d3df0bfeec48237b28a53bc04f
    SHA256: 6c0bdf07876c69811a9e7dc237c43d40b1cb6369f68e0e17953d7279b524ad9a
    SHA512: ec8bf18b5ef8bf14a568dfb50cbddcc4bb13241f07b0de969e7b60cc261fb4e08fefeb5236bcf620bc690af112a9ab7f7c89f5b8a03fd3430e58804227b5041f

  o https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.8.tar.xz

    SIZE: 11298404
    SHA1: d5ef8e8f28c098e6b7ea24924e0b0fee6e2f766c
    SHA256: 0391b2ffad3133e274469f9953ebfd0c9f7c186238968cbdeeb0651aa02a4d6d
    SHA512: 2886be764a454425c5beef2777c64a70ee0d048b07896b327633d904f5077fea4299526689f9e2ac4dcd2fc4811cf9a6c8ce75367ed35d29dfe1a54222872e0d

  o https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.8.zip

    SIZE: 19060404
    SHA1: 623786f2b30e61f0e78e2b0bb2d98f0f029dc305
    SHA256: 69d97164f12f85cef34ef9d2eac0f3fd40400bffb29ddd58193225bd23220ae2
    SHA512: 6a02ff090d2463fdb8cb9f4f072cc7d14d467731bf2eb28780fe714176e5abb3a169b6d007f76bd1c7e86517d11e93edea6a9e76d1a0ba97c7ac60dc5b235bdc

Release Comment

Thanks to everyone who helped with this release, especially, to reporters of
the vulnerability.

- --------------------------------------------------------------------------------

Ruby 2.6.6 Released

Posted by nagachika on 31 Mar 2020

Ruby 2.6.6 has been released.

This release includes security fixes. Please check the topics below for
details.

  o CVE-2020-16255: Unsafe Object Creation Vulnerability in JSON (Additional
    fix)
  o CVE-2020-10933: Heap exposure vulnerability in the socket library

See the commit logs for details.

Download

  o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.6.tar.bz2

    SIZE: 14137163
    SHA1: 62adcc4c465a8790b3df87860551e7ad7d84f23d
    SHA256: f08b779079ecd1498e6a2548c39a86144c6c784dcec6f7e8a93208682eb8306e
    SHA512: 001851cf55c4529287ca7cc132afc8c7af4293cdef71feb1922da4901ece255ec453d7697b102a9a90aef2a048fe3d09017ea9378ab4a4df998c21ec3890cdbb

  o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.6.tar.gz

    SIZE: 16180408
    SHA1: 2d78048e293817f38d4ede4ebc7873013e97bb0b
    SHA256: 364b143def360bac1b74eb56ed60b1a0dca6439b00157ae11ff77d5cd2e92291
    SHA512: 7c54aad974d13c140df0a7209cc111dada10ad402126271051222adb7f2b5053997353367f2cddf6c0336f67357f831aeab9f236851153c0db0d2014bf3e0614

  o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.6.tar.xz

    SIZE: 11567284
    SHA1: 4dc8d4f7abc1d498b7bac68e82efc01a849f300f
    SHA256: 5db187882b7ac34016cd48d7032e197f07e4968f406b0690e20193b9b424841f
    SHA512: 86caf93dbf61d03781767ab5375a7edf4761f13ba08ccfefe16c0a7550499237e7390c2f72a95d42670d4fe76b2401b4218936187c62ec1572799e9e04c50d62

  o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.6.zip

    SIZE: 19847926
    SHA1: 7fca2388cf9732163c005c1c7866368708305042
    SHA256: 0899af033c477c0eafeafd59925ce1165a651af6690c5812931d821b4a048d14
    SHA512: 25a8142c2d208705c4ec744ba4a65aa32b6de510cc6b716ab271ff12ec84430a34fac19ef2818570fd175ab76727506f683fa4d389842dcbb1069e732cf4fee3

Release Comment

Many committers, developers, and users who provided bug reports helped us make
this release. Thanks for their contributions.

- --------------------------------------------------------------------------------

Ruby 2.7.1 Released

Posted by naruse on 31 Mar 2020

Ruby 2.7.1 has been released.

This release includes security fixes. Please check the topics below for
details.

  o CVE-2020-16255: Unsafe Object Creation Vulnerability in JSON (Additional
    fix)
  o CVE-2020-10933: Heap exposure vulnerability in the socket library

See the commit logs for details.

Download

  o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.1.tar.bz2

    SIZE: 14684616
    SHA1: e83a084a4329e1e3f55591bf5ac0c8ebed6444b3
    SHA256: d703d58a67e7ed822d6e4a6ea9e44255f689a5b6ea6752d17e8d031849822202
    SHA512: 4af568f5210379239531dbc54d35739f6ff7ab1d7ffcafc54fed2afeb2b30450d2df386504edf96a494465b3f5fd90cb030974668aa7a1fde5a6b042ea9ca858

  o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.1.tar.gz

    SIZE: 16816471
    SHA1: 76e25fce50a87f76a3ccd6d0fdd9b7c792400249
    SHA256: d418483bdd0000576c1370571121a6eb24582116db0b7bb2005e90e250eae418
    SHA512: d54ec78d46644269a200cc64c84beed1baaea74189e0ffc167f90f4b9540bb6d9e7b19807c0990e1b13738b83d1e2bb4c712396d033db6a7501e6046fff12839

  o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.1.tar.xz

    SIZE: 12003684
    SHA1: 6c92300d7fd3e9cbb433e5e687535dc5300848eb
    SHA256: b224f9844646cc92765df8288a46838511c1cec5b550d8874bd4686a904fcee7
    SHA512: 79f98b1ea98e0b10ec79da1883e8fc84d48ffe5c09ae945cbebde94365e35a589d919aac965f74d70ca7e21370ecee631ac5a8f9c4eac61d62f5aa629f27bf31

  o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.1.zip

    SIZE: 20591655
    SHA1: 8b0e887d47b54154fe856b61617d3e3d5c5adda7
    SHA256: de8d2aa018016428bd30eab430aaa5e22428c2a897865285c53907bb53d55b13
    SHA512: f5fafae966ca4cf96737d28ffd261dee7a1b76ab9d219af5eef34c88f6e958ca62777de322b4c7acea6523279d8e8483a0a2d82db0beb25c2bb2387ce6f3ee76

Release Comment

Many committers, developers, and users who provided bug reports helped us make
this release. Thanks for their contributions.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYAZUUeNLKJtyKPYoAQjHrxAAi6hbN0INTiDITVEdJC0qNihidhNF3q2U
BwUxNLXTWBu6Tjm1CNIZ2RiVaspvc85fwqw2b8DeMCugznHNeaBsPC4kvpjtV5zn
+ivNf/v2EF2ph5KFRrahKgVhh49WWGnArnvs/qSC3pr0xwCIbl32JhkAUy69rDmz
yN+gljkhjSkMnEDucV35goKKO2j3jvxSyE1MJa2lkLiyydz1ogA052CUPFyx+bzV
aUj78pcmfxSfMAr4JC7bio6diEaAK2l3s5tv+5VwHXIVebtUDgi56JPR/trJ05wN
+SKK/mC9DAhAEF3Mx9tTGI4YgUF1ewDRSDUwQaqeAbWWClHL0RIFJxaG9jhe7PSZ
QJfpr1J7HeX2/RV/noIVxtdOxZVnxY1+DgDiLemXWySrM05MZcdbrvVKsFndonVm
2nkyNcoyPv2kVFBtDPd4TIdI9e6Zadp9wPgMhMSSRsRrBHGwB9KW47bQe514b6jN
SqoTxi6gRyyVTMlXKyhYuyc5n2w76uGApC85qWCTxo++coMfYAHUjgE1h6pyTNQQ
uj/nPQWUWnbLL28EfS9H+THE15ku3jqKFQSqmope7vSmW471DIlAtf6SVFvAE6BO
+ebLeImTvdKYK25lfJPRjf8Q1NnCH67ttAa3ELP4t5T5BH7krGoPjluCsiSXmgRG
1pvMhXOo4Tg=
=cFnG
-----END PGP SIGNATURE-----