Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1147
Multiple Ruby versions released
6 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Ruby
Publisher: Ruby
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Create Arbitrary Files -- Remote/Unauthenticated
Reduced Security -- Remote with User Interaction
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-28966 CVE-2021-28965 CVE-2020-25613
Reference: ESB-2021.1145
ESB-2021.1013
ESB-2021.0965
Original Bulletin:
https://www.ruby-lang.org/en/news/2021/04/05/ruby-2-5-9-released/
https://www.ruby-lang.org/en/news/2021/04/05/ruby-2-6-7-released/
https://www.ruby-lang.org/en/news/2021/04/05/ruby-2-7-3-released/
https://www.ruby-lang.org/en/news/2021/04/05/ruby-3-0-1-released/
Comment: This bulletin contains four (4) Ruby security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Ruby 2.5.9 Released
Posted by usa on 5 Apr 2021
Ruby 2.5.9 has been released.
This release includes security fixes. Please check the topics below for
details.
o CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability in WEBrick
o CVE-2021-28965: XML round-trip vulnerability in REXML
See the commit logs for details.
After this release, Ruby 2.5 reaches EOL. In other words, this is the last
release of Ruby 2.5 series. We will not release Ruby 2.5.10 even if a security
vulnerability is found. We recommend all Ruby 2.5 users to upgrade to Ruby 3.0,
2.7 or 2.6 immediately.
Download
o https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.9.tar.bz2
SIZE: 13805484
SHA1: 6ac21486996aa38a71f858d28d01ada5593d0b45
SHA256: bebbe3fe7899acd3ca2f213de38158709555e88a13f85ba5dc95239654bcfeeb
SHA512: 12f58e14cfa6337065b0e82941e39b167813920eb54cbdb4ac4a680dd0cb75d2684d341059e7b4d0da1292bfc4e53041443bd14891a66f50991858b440a835c8
o https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.9.tar.gz
SIZE: 15687501
SHA1: 5408671f2ba4f3124ab99ea6edb6d62887d7e5a0
SHA256: f5894e05f532b748c3347894a5efa42066fd11cc8d261d4d9788ff71da00be68
SHA512: 5c9a6703b4c8d6e365856d7815e202f24659078d4c8e7a5059443453032b73b28e7ab2b8a6fa995c92c8e7f4838ffa6f9eec31593854e2fc3fc35532cb2db788
o https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.9.tar.xz
SIZE: 11314448
SHA1: 7be8dc2e6e534eb36bfdf9f017af512996ec99a6
SHA256: a87f2fa901408cc77652c1a55ff976695bbe54830ff240e370039eca14b358f0
SHA512: 239f73eb4049ae2654b648ab927b1f74643d38a5f29572e4bd4e6aa3c53c1df29e0a995fd90d4ab9d4b2ff073fd809b12df820ccb1ddf395684bba6be1855b7a
o https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.9.zip
SIZE: 19064704
SHA1: 5f39cfb7a73c7321b65706617275c3c7452281a9
SHA256: 14db683c6ba6a863ef126718269758de537571b675231ec43f03b987739e3ce1
SHA512: c4a34678d280a99fde28cc33ba12d164be8a484f43b09495f9c22c48d2b963424c38470020c057cf346f8cc050ab4289a90a8d516b2a79245dea4e6de79cb75f
Release Comment
Thanks to everyone who helped with this release, especially, to reporters of
the vulnerability.
- --------------------------------------------------------------------------------
Ruby 2.6.7 Released
Posted by usa on 5 Apr 2021
Ruby 2.6.7 has been released.
This release includes security fixes. Please check the topics below for
details.
o CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability in WEBrick
o CVE-2021-28965: XML round-trip vulnerability in REXML
See the commit logs for details.
By this release, we end the normal maintenance phase of Ruby 2.6, and Ruby 2.6
enters the security maintenance phase. This means that we will no longer
backport any bug fixes to Ruby 2.6 except security fixes. The term of the
security maintenance phase is scheduled for a year. Ruby 2.6 reaches EOL and
its official support ends by the end of the security maintenance phase.
Therefore, we recommend that you start to plan upgrade to Ruby 2.7 or 3.0.
Download
o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.7.tar.bz2
SIZE: 14136831
SHA1: 826bcbe83fde9c813a88e5d42155ea8fa6ffb017
SHA256: 775a5d47b73ce3ee5d600f993badd7b640a2caca138573326db6632858517710
SHA512: 311ec56d23d0de7a163f66c1ef4e5369b822f8409f8e1f3a25785c803f01c68dd13aa8ddcfb3a0fe6a97bf321950f8d6cd75b2babcb04158e791601914666f7a
o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.7.tar.gz
SIZE: 16198982
SHA1: c37ba0b0699540bbd46116c2f7440c9e7cd16553
SHA256: e4227e8b7f65485ecb73397a83e0d09dcd39f25efd411c782b69424e55c7a99e
SHA512: 11689cb9a48d9a588c5526dc2581f11bcf56496ecf96a93d4bddc3e92327be29a9e7806fe19c1a774d5b9d681010936577738aae872d08950d472d04fa6c4dfa
o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.7.tar.xz
SIZE: 11591404
SHA1: 1fd1448125a00cd7b9994637b5e561506de6a6d3
SHA256: f43ead5626202d5432d2050eeab606e547f0554299cc1e5cf573d45670e59611
SHA512: ba6fc0a36af2a08cf1b008851e805f59ea1047724fc7b61d4bc674533b8f123cb12fa0969e9a3f57290477c0d75f974ca7e304836e4905bd96a737211df9bd21
o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.7.zip
SIZE: 19866856
SHA1: 762f76f2d09339862f0de18a6603cf7cbe804ec8
SHA256: 3facc52602ff1f1958b9e82a0c1837ce8b3f39c665d7ff01b9bc62f9b7a9d852
SHA512: 9c3a098a7a6133e46dbfa0208461b31a5e4eaa4a9cc3d3eed28e4d29bd2ca97bc1a90e3e433a3832e8bbd4a5bac03d0494a15e1b20237536bde2861d5e1e1cd1
Release Comment
Many committers, developers, and users who provided bug reports helped us make
this release. Thanks for their contributions.
The maintenance of Ruby 2.6, including this release, is based on the
Agreement for the Ruby stable version of the Ruby Association.
- --------------------------------------------------------------------------------
Ruby 2.7.3 Released
Posted by nagachika on 5 Apr 2021
Ruby 2.7.3 has been released.
This release includes security fixes. Please check the topics below for
details.
o CVE-2021-28965: XML round-trip vulnerability in REXML
o CVE-2021-28966: Path traversal in Tempfile on Windows
See the commit logs for details.
Download
o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.3.tar.bz2
SIZE: 14792727
SHA1: 4f4a47465b48a91d43fb557b70e47d79f6727a29
SHA256: 3e90e5a41d4df90e19c307ab0fb41789992c0b0128e6bbaa669b89ed44a0b68b
SHA512: e9236138be3e61380140f2e0d42f8fb82ad8f5219d454de2f6c2ec546bb208acc8b0f2020f23e6446660d2b3b9ae873cdd8298471f166a5f1efba8e80b05e746
o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.3.tar.gz
SIZE: 16912725
SHA1: 1fef38fbb31134e6e14df63ee6ce673e118d64ce
SHA256: 8925a95e31d8f2c81749025a52a544ea1d05dad18794e6828709268b92e55338
SHA512: 1d036d08016351e8f9e7506a6abaf490fe226cf2ff9c2f9df582b57bff22a960dbaf271a8a167ac09f864613b9b8b14191bb79f8a6900ad5ca24131ecf571d54
o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.3.tar.xz
SIZE: 12073568
SHA1: ce3d5203d5ab734df01e602c05f68f25249dc3e0
SHA256: 5e91d1650857d43cd6852e05ac54683351e9c301811ee0bef43a67c4605e7db1
SHA512: b755d418b3bab2f9f6a8893afd13869269f17065643dde78b9e85ae3538a6d0617893db6e9c3908e00a40c7577a5c912a7c822d8f245cdcfb857be76dfb66c1e
o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.3.zip
SIZE: 20697429
SHA1: 384cd3a915ad666d7f6b51b2babbe08285433202
SHA256: 42b56a95e9016bee468af00db49456ee4720d3f9916dda726cdaf83597158376
SHA512: 527c8ba425b75f13b5837863735811d00b4af49132df13c65fe71a6e04a83d3780a5b2b54b43a95f5b33592f3d689da3f18cefbecef86bcdb0c5e5fc51c7b037
Release Comment
Many committers, developers, and users who provided bug reports helped us make
this release. Thanks for their contributions.
- --------------------------------------------------------------------------------
Ruby 3.0.1 Released
Posted by naruse on 5 Apr 2021
Ruby 3.0.1 has been released.
This release includes security fixes. Please check the topics below for
details.
o CVE-2021-28965: XML round-trip vulnerability in REXML
o CVE-2021-28966: Path traversal in Tempfile on Windows
See the commit logs for details.
Download
o https://cache.ruby-lang.org/pub/ruby/3.0/ruby-3.0.1.tar.gz
SIZE: 19664598
SHA1: 60c72f3e501a3be9616385cad3e48bc89d6150a1
SHA256: 369825db2199f6aeef16b408df6a04ebaddb664fb9af0ec8c686b0ce7ab77727
SHA512: cb81db2c9b698cf8159b2ca6507f4c7f171e4eb387f5730c4b658ed632b7900a169808e6fbec0ee80598d937030ad5d9c56b63a2a339373ec5d9e1c06b7661d0
o https://cache.ruby-lang.org/pub/ruby/3.0/ruby-3.0.1.tar.xz
SIZE: 14486780
SHA1: 3c5443960fe860ff7055bc02a4793140b9fb9b28
SHA256: d06bccd382d03724b69f674bc46cd6957ba08ed07522694ce44b9e8ffc9c48e2
SHA512: 97d2e883656060846b304368d9d836e2f3ef39859c36171c9398a0573818e4ed75bfd7460f901a9553f7f53518c505327a66e74f83704a881469f5ac61fe13d7
o https://cache.ruby-lang.org/pub/ruby/3.0/ruby-3.0.1.zip
SIZE: 24014727
SHA1: 311164da8f68abb58f8590356bf492fc2ab80192
SHA256: c8703c33904c79613a41a750cc62d210c3c57fec0728476d66b0a9031a499d68
SHA512: 395cdbd7fd42f0d2b42208c390db7ac2ed8d3e247d9b7fdaa43347a815b108a3680cbebf2ab8f05ec468ff02c832e2f3c1399e616f0f3e3016f6a6e894811b01
Release Comment
Many committers, developers, and users who provided bug reports helped us make
this release. Thanks for their contributions.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYGvjZ+NLKJtyKPYoAQhfDRAArqMwSa3coeYswIIiwiEOJQjDFW8UUt3i
BY9les+txFpazzT200V9sUJ7CfWrOjdBFq/yb/hArkLfng0TTdJW+bJTxrxtyVJy
O+9PNpgGQjgIS7AszSs177bHGGrsHQnsp2sVtGHnL/nxhZ71jy9pXsdouq30kh2n
IMQDltZ8QlRAfHU5CrlWYaypkin2yUs62Bbp2NFM0feOhpzdFMrfbtPlcubvjjHc
ONuEhagKZSVsHvrertXj+7mccxvUsLkglOWalUqISQVJZzW7pp4aaoizGw4TMoog
BNDouvAnNAXUkVDczYlpX903yagyapeB22VmOsaxXTgH0nJoIuNp3KRtBKdn3Yjg
xEWCPR17KCLSDoH4Sdvv98slVTUdKOwoJ2g3eJMWnfU/Tdu485W0mi5hi1s+LpYl
yZHx0fEGVjH7BdnubG1x7tGvKSCAl+kpdqN2LmCgp6q+HSSsjvb1cNxL8Cr/N37f
fcBlMem3C9/Ako+LEh4HCzV597PHc3wohgLj7V8mY9pReiGErAbcZwc1Pqgvk41U
DeHztDnRb1v0mI79ymTallZbDAgJxt+6CVVIuBfCxHgkafEtaWIAwqNUXqPI3mOs
RiB/NA3W6w4VMHhCkCfo2Z7vsH+USXUyBmMgD22TTyh1zCoEOYctiMCypv/im6OJ
OaORqVaXz90=
=xtXw
-----END PGP SIGNATURE-----