-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.1930
         rh-ruby27-ruby security, bug fix, and enhancement update
                                4 June 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           rh-ruby27-ruby
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Create Arbitrary Files -- Remote/Unauthenticated
                   Unauthorised Access    -- Remote/Unauthenticated
                   Reduced Security       -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-28965 CVE-2020-25613 

Reference:         ESB-2021.1800
                   ESB-2021.1147
                   ESB-2020.3433

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2021:2229

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: rh-ruby27-ruby security, bug fix, and enhancement update
Advisory ID:       RHSA-2021:2229-01
Product:           Red Hat Software Collections
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:2229
Issue date:        2021-06-03
CVE Names:         CVE-2020-25613 CVE-2021-28965 
=====================================================================

1. Summary:

An update for rh-ruby27-ruby is now available for Red Hat Software
Collections.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7) - noarch, ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64

3. Description:

Ruby is an extensible, interpreted, object-oriented, scripting language. It
has features to process text files and to perform system management tasks. 

The following packages have been upgraded to a later upstream version:
rh-ruby27-ruby (2.7.3). (BZ#1947931)

Security Fix(es):

* ruby: Potential HTTP request smuggling in WEBrick (CVE-2020-25613)

* ruby: XML round-trip vulnerability in REXML (CVE-2021-28965)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es):

* rh-ruby27-ruby: Resolv::DNS: timeouts if multiple IPv6 name servers are
given and address contains leading zero [rhscl-3] (BZ#1950016)

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Software Collections 3.7 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1883623 - CVE-2020-25613 ruby: Potential HTTP request smuggling in WEBrick
1947526 - CVE-2021-28965 ruby: XML round-trip vulnerability in REXML
1950016 - rh-ruby27-ruby: Resolv::DNS: timeouts if multiple IPv6 name servers are given and address contains leading zero [rhscl-3]

6. Package List:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):

Source:
rh-ruby27-ruby-2.7.3-129.el7.src.rpm

noarch:
rh-ruby27-ruby-doc-2.7.3-129.el7.noarch.rpm
rh-ruby27-rubygem-bundler-2.1.4-129.el7.noarch.rpm
rh-ruby27-rubygem-did_you_mean-1.4.0-129.el7.noarch.rpm
rh-ruby27-rubygem-irb-1.2.6-129.el7.noarch.rpm
rh-ruby27-rubygem-minitest-5.13.0-129.el7.noarch.rpm
rh-ruby27-rubygem-net-telnet-0.2.0-129.el7.noarch.rpm
rh-ruby27-rubygem-power_assert-1.1.7-129.el7.noarch.rpm
rh-ruby27-rubygem-rake-13.0.1-129.el7.noarch.rpm
rh-ruby27-rubygem-rdoc-6.2.1-129.el7.noarch.rpm
rh-ruby27-rubygem-test-unit-3.3.4-129.el7.noarch.rpm
rh-ruby27-rubygem-xmlrpc-0.3.0-129.el7.noarch.rpm
rh-ruby27-rubygems-3.1.6-129.el7.noarch.rpm
rh-ruby27-rubygems-devel-3.1.6-129.el7.noarch.rpm

ppc64le:
rh-ruby27-ruby-2.7.3-129.el7.ppc64le.rpm
rh-ruby27-ruby-debuginfo-2.7.3-129.el7.ppc64le.rpm
rh-ruby27-ruby-devel-2.7.3-129.el7.ppc64le.rpm
rh-ruby27-ruby-libs-2.7.3-129.el7.ppc64le.rpm
rh-ruby27-rubygem-bigdecimal-2.0.0-129.el7.ppc64le.rpm
rh-ruby27-rubygem-io-console-0.5.6-129.el7.ppc64le.rpm
rh-ruby27-rubygem-json-2.3.0-129.el7.ppc64le.rpm
rh-ruby27-rubygem-openssl-2.1.2-129.el7.ppc64le.rpm
rh-ruby27-rubygem-psych-3.1.0-129.el7.ppc64le.rpm
rh-ruby27-rubygem-racc-1.4.16-129.el7.ppc64le.rpm

s390x:
rh-ruby27-ruby-2.7.3-129.el7.s390x.rpm
rh-ruby27-ruby-debuginfo-2.7.3-129.el7.s390x.rpm
rh-ruby27-ruby-devel-2.7.3-129.el7.s390x.rpm
rh-ruby27-ruby-libs-2.7.3-129.el7.s390x.rpm
rh-ruby27-rubygem-bigdecimal-2.0.0-129.el7.s390x.rpm
rh-ruby27-rubygem-io-console-0.5.6-129.el7.s390x.rpm
rh-ruby27-rubygem-json-2.3.0-129.el7.s390x.rpm
rh-ruby27-rubygem-openssl-2.1.2-129.el7.s390x.rpm
rh-ruby27-rubygem-psych-3.1.0-129.el7.s390x.rpm
rh-ruby27-rubygem-racc-1.4.16-129.el7.s390x.rpm

x86_64:
rh-ruby27-ruby-2.7.3-129.el7.x86_64.rpm
rh-ruby27-ruby-debuginfo-2.7.3-129.el7.x86_64.rpm
rh-ruby27-ruby-devel-2.7.3-129.el7.x86_64.rpm
rh-ruby27-ruby-libs-2.7.3-129.el7.x86_64.rpm
rh-ruby27-rubygem-bigdecimal-2.0.0-129.el7.x86_64.rpm
rh-ruby27-rubygem-io-console-0.5.6-129.el7.x86_64.rpm
rh-ruby27-rubygem-json-2.3.0-129.el7.x86_64.rpm
rh-ruby27-rubygem-openssl-2.1.2-129.el7.x86_64.rpm
rh-ruby27-rubygem-psych-3.1.0-129.el7.x86_64.rpm
rh-ruby27-rubygem-racc-1.4.16-129.el7.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7):

Source:
rh-ruby27-ruby-2.7.3-129.el7.src.rpm

noarch:
rh-ruby27-ruby-doc-2.7.3-129.el7.noarch.rpm
rh-ruby27-rubygem-bundler-2.1.4-129.el7.noarch.rpm
rh-ruby27-rubygem-did_you_mean-1.4.0-129.el7.noarch.rpm
rh-ruby27-rubygem-irb-1.2.6-129.el7.noarch.rpm
rh-ruby27-rubygem-minitest-5.13.0-129.el7.noarch.rpm
rh-ruby27-rubygem-net-telnet-0.2.0-129.el7.noarch.rpm
rh-ruby27-rubygem-power_assert-1.1.7-129.el7.noarch.rpm
rh-ruby27-rubygem-rake-13.0.1-129.el7.noarch.rpm
rh-ruby27-rubygem-rdoc-6.2.1-129.el7.noarch.rpm
rh-ruby27-rubygem-test-unit-3.3.4-129.el7.noarch.rpm
rh-ruby27-rubygem-xmlrpc-0.3.0-129.el7.noarch.rpm
rh-ruby27-rubygems-3.1.6-129.el7.noarch.rpm
rh-ruby27-rubygems-devel-3.1.6-129.el7.noarch.rpm

ppc64le:
rh-ruby27-ruby-2.7.3-129.el7.ppc64le.rpm
rh-ruby27-ruby-debuginfo-2.7.3-129.el7.ppc64le.rpm
rh-ruby27-ruby-devel-2.7.3-129.el7.ppc64le.rpm
rh-ruby27-ruby-libs-2.7.3-129.el7.ppc64le.rpm
rh-ruby27-rubygem-bigdecimal-2.0.0-129.el7.ppc64le.rpm
rh-ruby27-rubygem-io-console-0.5.6-129.el7.ppc64le.rpm
rh-ruby27-rubygem-json-2.3.0-129.el7.ppc64le.rpm
rh-ruby27-rubygem-openssl-2.1.2-129.el7.ppc64le.rpm
rh-ruby27-rubygem-psych-3.1.0-129.el7.ppc64le.rpm
rh-ruby27-rubygem-racc-1.4.16-129.el7.ppc64le.rpm

s390x:
rh-ruby27-ruby-2.7.3-129.el7.s390x.rpm
rh-ruby27-ruby-debuginfo-2.7.3-129.el7.s390x.rpm
rh-ruby27-ruby-devel-2.7.3-129.el7.s390x.rpm
rh-ruby27-ruby-libs-2.7.3-129.el7.s390x.rpm
rh-ruby27-rubygem-bigdecimal-2.0.0-129.el7.s390x.rpm
rh-ruby27-rubygem-io-console-0.5.6-129.el7.s390x.rpm
rh-ruby27-rubygem-json-2.3.0-129.el7.s390x.rpm
rh-ruby27-rubygem-openssl-2.1.2-129.el7.s390x.rpm
rh-ruby27-rubygem-psych-3.1.0-129.el7.s390x.rpm
rh-ruby27-rubygem-racc-1.4.16-129.el7.s390x.rpm

x86_64:
rh-ruby27-ruby-2.7.3-129.el7.x86_64.rpm
rh-ruby27-ruby-debuginfo-2.7.3-129.el7.x86_64.rpm
rh-ruby27-ruby-devel-2.7.3-129.el7.x86_64.rpm
rh-ruby27-ruby-libs-2.7.3-129.el7.x86_64.rpm
rh-ruby27-rubygem-bigdecimal-2.0.0-129.el7.x86_64.rpm
rh-ruby27-rubygem-io-console-0.5.6-129.el7.x86_64.rpm
rh-ruby27-rubygem-json-2.3.0-129.el7.x86_64.rpm
rh-ruby27-rubygem-openssl-2.1.2-129.el7.x86_64.rpm
rh-ruby27-rubygem-psych-3.1.0-129.el7.x86_64.rpm
rh-ruby27-rubygem-racc-1.4.16-129.el7.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):

Source:
rh-ruby27-ruby-2.7.3-129.el7.src.rpm

noarch:
rh-ruby27-ruby-doc-2.7.3-129.el7.noarch.rpm
rh-ruby27-rubygem-bundler-2.1.4-129.el7.noarch.rpm
rh-ruby27-rubygem-did_you_mean-1.4.0-129.el7.noarch.rpm
rh-ruby27-rubygem-irb-1.2.6-129.el7.noarch.rpm
rh-ruby27-rubygem-minitest-5.13.0-129.el7.noarch.rpm
rh-ruby27-rubygem-net-telnet-0.2.0-129.el7.noarch.rpm
rh-ruby27-rubygem-power_assert-1.1.7-129.el7.noarch.rpm
rh-ruby27-rubygem-rake-13.0.1-129.el7.noarch.rpm
rh-ruby27-rubygem-rdoc-6.2.1-129.el7.noarch.rpm
rh-ruby27-rubygem-test-unit-3.3.4-129.el7.noarch.rpm
rh-ruby27-rubygem-xmlrpc-0.3.0-129.el7.noarch.rpm
rh-ruby27-rubygems-3.1.6-129.el7.noarch.rpm
rh-ruby27-rubygems-devel-3.1.6-129.el7.noarch.rpm

x86_64:
rh-ruby27-ruby-2.7.3-129.el7.x86_64.rpm
rh-ruby27-ruby-debuginfo-2.7.3-129.el7.x86_64.rpm
rh-ruby27-ruby-devel-2.7.3-129.el7.x86_64.rpm
rh-ruby27-ruby-libs-2.7.3-129.el7.x86_64.rpm
rh-ruby27-rubygem-bigdecimal-2.0.0-129.el7.x86_64.rpm
rh-ruby27-rubygem-io-console-0.5.6-129.el7.x86_64.rpm
rh-ruby27-rubygem-json-2.3.0-129.el7.x86_64.rpm
rh-ruby27-rubygem-openssl-2.1.2-129.el7.x86_64.rpm
rh-ruby27-rubygem-psych-3.1.0-129.el7.x86_64.rpm
rh-ruby27-rubygem-racc-1.4.16-129.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-25613
https://access.redhat.com/security/cve/CVE-2021-28965
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_software_collections/3/html/3.7_release_notes/

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYLi8sdzjgjWX9erEAQhZBA/7BsCXtACIZAKvhE3vQ8UTauQ2PLpkqBFn
N0EeqwNa54flJw/TOMQqYj1hIqhvd9IY2+UgTmCCA5dv1fpS0gZIqgmwa2pf3Iiz
4wsV1jBy0kdhi0d57uEbEiyBXa4NPMqVgbGSOv7lhOq6mr5uxUZYd3Fz6IAWsGHc
tLTUzzA4zbrSlYVwTryYA4EbgsGj+tWm1nj1lwT4/xdK8e0YtR3oxIowoUaj1G2h
txnpZnCewwDirAc29zW6Fa4OV4zZ7Ssqz5jJJ660A+JL6/KIqAev9drgPscxN9Nd
PZ/N3WZyBvkHpB+9aERge4Cw16yDc2njRR0oJepVk6iO5HKWy5FA9Pc3GjSrQ52Y
/2OK+00Y/bIYHKpRn4ekPCUWsJkG8kdoZoCzPu15NtYiDPlkNpNVCIUIjfuVDPfd
NNjtPPZzLhgT3e60vY6hXWOg1ws6mHfOSZ9YogNUOLQa0pjrU8Rb4jDjQzmznM4J
PNOS4MxV5pFpByHC2KNhN4qcYxEKyLeb7viPZHdt/jtpo+s9N1h3Ho6TE3TUj/G2
XRJibTefsLHWQ6rnyLhO8Bjg8brxt9rNM23EqibdWqoQeSLzftJ47PQfmlGkQbCq
uUnsBvrFbuiPCNguDnehctFT/rduR2/EZ9b0yEbe7606xS1Xb92VmigP3HfkDTJL
z86IHfh54zI=
=9bQi
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYLli5+NLKJtyKPYoAQjwig//TwVpYrY0WXR2w72xS/7GVyi2mQGeHsDf
VoaOTosCzflxN4EHxA6142E1ejQgiiix6fdtC1EcsMRaB3Ce+4duf++g7daIxTBg
WnNzfwdtjNbxfapxgt0NUH9V0TVv5MyNrGsUz/k6mfqCknfnagzSmgFxWScpNl6L
NHOV8a7/uafpUpjwo+His3aI6o96zkmx6cZNnu2YrUxzBGJWg2lO5xEZwQXGdtue
pZfODHQNd8JVCTyZ/FThY09kW8Si+q+7dONKSpmd2nxKIf1/7iXY2gHH4slXoCVq
EKbOLmj04x0pCgazTbLhrx4U05sw/JVut8D9g18I+udFx4XT4zZ0x1kdRhcoWB9w
Pn8zyt5fW334z8i58jZB1VtIotqeQF5C5ryhd6Sy4AtTGa1gL/kH7UJjV9zAGd64
hAKgTgMArnJmkyDrY0g8McFlCl12bCa6dKnppwtQzEP8q+EUUAGH93AYtpQZRv2q
oXkSeZeuXTplgoWX7BGBt1nvPNGnYWozPXT8E4ulHKWgmbEcIIRYF1kP17xCLTT8
GjvNyYgD9PUoEK1AE0ICrP2faF0qZa/pEyUpnYvwm5o9kw/IoZH8YWoxKB7RFfsL
BwUnmVHRWa/eHuoWinbCZ3ZlPAoIzqYSVN6kYaM6/PuMwE9hzCxUXlgjP3XovOyv
aeRDQlW/zH4=
=j6ml
-----END PGP SIGNATURE-----