Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1147 Multiple Ruby versions released 6 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Ruby Publisher: Ruby Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Create Arbitrary Files -- Remote/Unauthenticated Reduced Security -- Remote with User Interaction Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-28966 CVE-2021-28965 CVE-2020-25613 Reference: ESB-2021.1145 ESB-2021.1013 ESB-2021.0965 Original Bulletin: https://www.ruby-lang.org/en/news/2021/04/05/ruby-2-5-9-released/ https://www.ruby-lang.org/en/news/2021/04/05/ruby-2-6-7-released/ https://www.ruby-lang.org/en/news/2021/04/05/ruby-2-7-3-released/ https://www.ruby-lang.org/en/news/2021/04/05/ruby-3-0-1-released/ Comment: This bulletin contains four (4) Ruby security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Ruby 2.5.9 Released Posted by usa on 5 Apr 2021 Ruby 2.5.9 has been released. This release includes security fixes. Please check the topics below for details. o CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability in WEBrick o CVE-2021-28965: XML round-trip vulnerability in REXML See the commit logs for details. After this release, Ruby 2.5 reaches EOL. In other words, this is the last release of Ruby 2.5 series. We will not release Ruby 2.5.10 even if a security vulnerability is found. We recommend all Ruby 2.5 users to upgrade to Ruby 3.0, 2.7 or 2.6 immediately. Download o https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.9.tar.bz2 SIZE: 13805484 SHA1: 6ac21486996aa38a71f858d28d01ada5593d0b45 SHA256: bebbe3fe7899acd3ca2f213de38158709555e88a13f85ba5dc95239654bcfeeb SHA512: 12f58e14cfa6337065b0e82941e39b167813920eb54cbdb4ac4a680dd0cb75d2684d341059e7b4d0da1292bfc4e53041443bd14891a66f50991858b440a835c8 o https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.9.tar.gz SIZE: 15687501 SHA1: 5408671f2ba4f3124ab99ea6edb6d62887d7e5a0 SHA256: f5894e05f532b748c3347894a5efa42066fd11cc8d261d4d9788ff71da00be68 SHA512: 5c9a6703b4c8d6e365856d7815e202f24659078d4c8e7a5059443453032b73b28e7ab2b8a6fa995c92c8e7f4838ffa6f9eec31593854e2fc3fc35532cb2db788 o https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.9.tar.xz SIZE: 11314448 SHA1: 7be8dc2e6e534eb36bfdf9f017af512996ec99a6 SHA256: a87f2fa901408cc77652c1a55ff976695bbe54830ff240e370039eca14b358f0 SHA512: 239f73eb4049ae2654b648ab927b1f74643d38a5f29572e4bd4e6aa3c53c1df29e0a995fd90d4ab9d4b2ff073fd809b12df820ccb1ddf395684bba6be1855b7a o https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.9.zip SIZE: 19064704 SHA1: 5f39cfb7a73c7321b65706617275c3c7452281a9 SHA256: 14db683c6ba6a863ef126718269758de537571b675231ec43f03b987739e3ce1 SHA512: c4a34678d280a99fde28cc33ba12d164be8a484f43b09495f9c22c48d2b963424c38470020c057cf346f8cc050ab4289a90a8d516b2a79245dea4e6de79cb75f Release Comment Thanks to everyone who helped with this release, especially, to reporters of the vulnerability. - -------------------------------------------------------------------------------- Ruby 2.6.7 Released Posted by usa on 5 Apr 2021 Ruby 2.6.7 has been released. This release includes security fixes. Please check the topics below for details. o CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability in WEBrick o CVE-2021-28965: XML round-trip vulnerability in REXML See the commit logs for details. By this release, we end the normal maintenance phase of Ruby 2.6, and Ruby 2.6 enters the security maintenance phase. This means that we will no longer backport any bug fixes to Ruby 2.6 except security fixes. The term of the security maintenance phase is scheduled for a year. Ruby 2.6 reaches EOL and its official support ends by the end of the security maintenance phase. Therefore, we recommend that you start to plan upgrade to Ruby 2.7 or 3.0. Download o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.7.tar.bz2 SIZE: 14136831 SHA1: 826bcbe83fde9c813a88e5d42155ea8fa6ffb017 SHA256: 775a5d47b73ce3ee5d600f993badd7b640a2caca138573326db6632858517710 SHA512: 311ec56d23d0de7a163f66c1ef4e5369b822f8409f8e1f3a25785c803f01c68dd13aa8ddcfb3a0fe6a97bf321950f8d6cd75b2babcb04158e791601914666f7a o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.7.tar.gz SIZE: 16198982 SHA1: c37ba0b0699540bbd46116c2f7440c9e7cd16553 SHA256: e4227e8b7f65485ecb73397a83e0d09dcd39f25efd411c782b69424e55c7a99e SHA512: 11689cb9a48d9a588c5526dc2581f11bcf56496ecf96a93d4bddc3e92327be29a9e7806fe19c1a774d5b9d681010936577738aae872d08950d472d04fa6c4dfa o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.7.tar.xz SIZE: 11591404 SHA1: 1fd1448125a00cd7b9994637b5e561506de6a6d3 SHA256: f43ead5626202d5432d2050eeab606e547f0554299cc1e5cf573d45670e59611 SHA512: ba6fc0a36af2a08cf1b008851e805f59ea1047724fc7b61d4bc674533b8f123cb12fa0969e9a3f57290477c0d75f974ca7e304836e4905bd96a737211df9bd21 o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.7.zip SIZE: 19866856 SHA1: 762f76f2d09339862f0de18a6603cf7cbe804ec8 SHA256: 3facc52602ff1f1958b9e82a0c1837ce8b3f39c665d7ff01b9bc62f9b7a9d852 SHA512: 9c3a098a7a6133e46dbfa0208461b31a5e4eaa4a9cc3d3eed28e4d29bd2ca97bc1a90e3e433a3832e8bbd4a5bac03d0494a15e1b20237536bde2861d5e1e1cd1 Release Comment Many committers, developers, and users who provided bug reports helped us make this release. Thanks for their contributions. The maintenance of Ruby 2.6, including this release, is based on the Agreement for the Ruby stable version of the Ruby Association. - -------------------------------------------------------------------------------- Ruby 2.7.3 Released Posted by nagachika on 5 Apr 2021 Ruby 2.7.3 has been released. This release includes security fixes. Please check the topics below for details. o CVE-2021-28965: XML round-trip vulnerability in REXML o CVE-2021-28966: Path traversal in Tempfile on Windows See the commit logs for details. Download o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.3.tar.bz2 SIZE: 14792727 SHA1: 4f4a47465b48a91d43fb557b70e47d79f6727a29 SHA256: 3e90e5a41d4df90e19c307ab0fb41789992c0b0128e6bbaa669b89ed44a0b68b SHA512: e9236138be3e61380140f2e0d42f8fb82ad8f5219d454de2f6c2ec546bb208acc8b0f2020f23e6446660d2b3b9ae873cdd8298471f166a5f1efba8e80b05e746 o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.3.tar.gz SIZE: 16912725 SHA1: 1fef38fbb31134e6e14df63ee6ce673e118d64ce SHA256: 8925a95e31d8f2c81749025a52a544ea1d05dad18794e6828709268b92e55338 SHA512: 1d036d08016351e8f9e7506a6abaf490fe226cf2ff9c2f9df582b57bff22a960dbaf271a8a167ac09f864613b9b8b14191bb79f8a6900ad5ca24131ecf571d54 o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.3.tar.xz SIZE: 12073568 SHA1: ce3d5203d5ab734df01e602c05f68f25249dc3e0 SHA256: 5e91d1650857d43cd6852e05ac54683351e9c301811ee0bef43a67c4605e7db1 SHA512: b755d418b3bab2f9f6a8893afd13869269f17065643dde78b9e85ae3538a6d0617893db6e9c3908e00a40c7577a5c912a7c822d8f245cdcfb857be76dfb66c1e o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.3.zip SIZE: 20697429 SHA1: 384cd3a915ad666d7f6b51b2babbe08285433202 SHA256: 42b56a95e9016bee468af00db49456ee4720d3f9916dda726cdaf83597158376 SHA512: 527c8ba425b75f13b5837863735811d00b4af49132df13c65fe71a6e04a83d3780a5b2b54b43a95f5b33592f3d689da3f18cefbecef86bcdb0c5e5fc51c7b037 Release Comment Many committers, developers, and users who provided bug reports helped us make this release. Thanks for their contributions. - -------------------------------------------------------------------------------- Ruby 3.0.1 Released Posted by naruse on 5 Apr 2021 Ruby 3.0.1 has been released. This release includes security fixes. Please check the topics below for details. o CVE-2021-28965: XML round-trip vulnerability in REXML o CVE-2021-28966: Path traversal in Tempfile on Windows See the commit logs for details. Download o https://cache.ruby-lang.org/pub/ruby/3.0/ruby-3.0.1.tar.gz SIZE: 19664598 SHA1: 60c72f3e501a3be9616385cad3e48bc89d6150a1 SHA256: 369825db2199f6aeef16b408df6a04ebaddb664fb9af0ec8c686b0ce7ab77727 SHA512: cb81db2c9b698cf8159b2ca6507f4c7f171e4eb387f5730c4b658ed632b7900a169808e6fbec0ee80598d937030ad5d9c56b63a2a339373ec5d9e1c06b7661d0 o https://cache.ruby-lang.org/pub/ruby/3.0/ruby-3.0.1.tar.xz SIZE: 14486780 SHA1: 3c5443960fe860ff7055bc02a4793140b9fb9b28 SHA256: d06bccd382d03724b69f674bc46cd6957ba08ed07522694ce44b9e8ffc9c48e2 SHA512: 97d2e883656060846b304368d9d836e2f3ef39859c36171c9398a0573818e4ed75bfd7460f901a9553f7f53518c505327a66e74f83704a881469f5ac61fe13d7 o https://cache.ruby-lang.org/pub/ruby/3.0/ruby-3.0.1.zip SIZE: 24014727 SHA1: 311164da8f68abb58f8590356bf492fc2ab80192 SHA256: c8703c33904c79613a41a750cc62d210c3c57fec0728476d66b0a9031a499d68 SHA512: 395cdbd7fd42f0d2b42208c390db7ac2ed8d3e247d9b7fdaa43347a815b108a3680cbebf2ab8f05ec468ff02c832e2f3c1399e616f0f3e3016f6a6e894811b01 Release Comment Many committers, developers, and users who provided bug reports helped us make this release. Thanks for their contributions. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYGvjZ+NLKJtyKPYoAQhfDRAArqMwSa3coeYswIIiwiEOJQjDFW8UUt3i BY9les+txFpazzT200V9sUJ7CfWrOjdBFq/yb/hArkLfng0TTdJW+bJTxrxtyVJy O+9PNpgGQjgIS7AszSs177bHGGrsHQnsp2sVtGHnL/nxhZ71jy9pXsdouq30kh2n IMQDltZ8QlRAfHU5CrlWYaypkin2yUs62Bbp2NFM0feOhpzdFMrfbtPlcubvjjHc ONuEhagKZSVsHvrertXj+7mccxvUsLkglOWalUqISQVJZzW7pp4aaoizGw4TMoog BNDouvAnNAXUkVDczYlpX903yagyapeB22VmOsaxXTgH0nJoIuNp3KRtBKdn3Yjg xEWCPR17KCLSDoH4Sdvv98slVTUdKOwoJ2g3eJMWnfU/Tdu485W0mi5hi1s+LpYl yZHx0fEGVjH7BdnubG1x7tGvKSCAl+kpdqN2LmCgp6q+HSSsjvb1cNxL8Cr/N37f fcBlMem3C9/Ako+LEh4HCzV597PHc3wohgLj7V8mY9pReiGErAbcZwc1Pqgvk41U DeHztDnRb1v0mI79ymTallZbDAgJxt+6CVVIuBfCxHgkafEtaWIAwqNUXqPI3mOs RiB/NA3W6w4VMHhCkCfo2Z7vsH+USXUyBmMgD22TTyh1zCoEOYctiMCypv/im6OJ OaORqVaXz90= =xtXw -----END PGP SIGNATURE-----