Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.2337 Ruby 2.6.8, 2.7.4 and 3.0.2 Released 8 July 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Ruby 2.6.8 Ruby 2.7.4 Ruby 3.0.2 Publisher: Ruby Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Provide Misleading Information -- Unknown/Unspecified Access Confidential Data -- Unknown/Unspecified Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2021-32066 CVE-2021-31810 CVE-2021-31799 Reference: ESB-2021.1496 Original Bulletin: https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-6-8-released/ https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-7-4-released/ https://www.ruby-lang.org/en/news/2021/07/07/ruby-3-0-2-released/ Comment: This bulletin contains three (3) Ruby security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Ruby 2.6.8 Released Posted by usa on 7 Jul 2021 Ruby 2.6.8 has been released. This release includes security fixes. Please check the topics below for details. o CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP o CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP o CVE-2021-31799: A command injection vulnerability in RDoc We ordinally do not fix Ruby 2.6 except security fixes, but this release also includes some regressed bugs and build problem fixes. See the commit logs for details. Ruby 2.6 is now under the state of the security maintenance phase, until the end of March of 2022. After that date, maintenance of Ruby 2.6 will be ended. We recommend you start planning the migration to newer versions of Ruby, such as 3.0 or 2.7. Download o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.8.tar.bz2 SIZE: 14131671 SHA1: 7d38cacb6a0779f04b9f19f94406da97e95bbec4 SHA256: dac96ca6df8bab5a6fc7778907f42498037f8ce05b63d20779dce3163e9fafe6 SHA512: 51806d48187dfcce269ff904943dd008df800216ad4797f95481bdeecc2fbac40016bc02eabfff32414839ebb2087511d25eebfd6acead1a1d3813be6c10edf7 o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.8.tar.gz SIZE: 16202660 SHA1: 949dce34bba3ae93fd302fe705017b03d13b69ab SHA256: 1807b78577bc08596a390e8a41aede37b8512190e05c133b17d0501791a8ca6d SHA512: 4f8b8736bdae8bb4b2b63d576232d376b4c87239d25bf7aa807d3eeea704cb8b06f465c37050be79b57a52b9bde65a5cc05679dd6df0f443c8e00a19513f882a o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.8.tar.xz SIZE: 11599488 SHA1: fa5ad518ef31bbf5c3386dbcec7b57196a1e618e SHA256: 8262e4663169c85787fdc9bfbd04d9eb86eb2a4b56d7f98373a8fcaa18e593eb SHA512: d040ad2238523587d8f356fcb796b8b6ad7f8caff7dd6df09e3f7efcbfa0369e33600e78c7f2bc713ae77c040757cce5c4fec223cb9070209f2bf741899c556d o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.8.zip SIZE: 19868666 SHA1: ece4908dd84c7aaefbe6b188c0aca39eaedb2a77 SHA256: d5da2d7e1b9a6b570c66b3bb0cfa2de3ce21d002d2385a1fdf7195e2d0d1d5c7 SHA512: 143ee01da2cba85a2dcb394b1a64b18a748aeb0eda4d6d2d83638706ce4bb05f60f3e80a0429878f823437e0dfba285f8080637523a552eb04aca87df63831dc Release Comment Many committers, developers, and users who provided bug reports helped us make this release. Thanks for their contributions. - -------------------------------------------------------------------------------- Ruby 2.7.4 Released Posted by usa on 7 Jul 2021 Ruby 2.7.4 has been released. This release includes security fixes. Please check the topics below for details. o CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP o CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP o CVE-2021-31799: A command injection vulnerability in RDoc See the commit logs for details. Download o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.4.tar.bz2 SIZE: 14804934 SHA1: f5bdecded2d68e4f2f0ab1d20137e8b4b0614e52 SHA256: bffa8aec9da392eda98f1c561071bb6e71d217d541c617fc6e3282d79f4e7d48 SHA512: f144c32c9cb0006dfcfa7d297f83f88b881f68c94f0130346c74dfd8758583a68d22accfd0fc9f31db304ab5ff0bc135bfb2868145c0dec1ee6cec5ac6c3725d o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.4.tar.gz SIZE: 16915699 SHA1: 86ec4a97bc43370050b5aef8d6ea3ed3938fb344 SHA256: 3043099089608859fc8cce7f9fdccaa1f53a462457e3838ec3b25a7d609fbc5b SHA512: a317752e9a32c8d1261e67ca89c396722ee779ec8ba4594987812d065b73751f51485a1ede8044aae14b3b16e8d049c6953cef530ae1b82abb135b446c653f8a o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.4.tar.xz SIZE: 12067588 SHA1: 6e044d835f9f432cfa9441241c1ef66e3d607cbf SHA256: 2a80824e0ad6100826b69b9890bf55cfc4cf2b61a1e1330fccbcb30c46cef8d7 SHA512: 2cbb70ecfdd69120e789023ddb2b25cab0d03bc33fdc367a8f74ca8a3ee785c18c8ded9de3ecee627c7e275ffb85147e6abf921b6a61e31851b37c7fedf45bf9 o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.4.zip SIZE: 20701195 SHA1: 32bdd5288dcc1e531832c14d26ff7cd218b55bc3 SHA256: a4fe29bfc6a8338fe4b017705aa9d3358225ea305359520d4995096a4382034e SHA512: 2877b809bafe72cba789add85993a1954008012afcfb5fc4645e482478479bb02166b0d5ee12263983a6c828e6970eb1385632409793dcbc5185d7bbc9c4f349 Release Comment Many committers, developers, and users who provided bug reports helped us make this release. Thanks for their contributions. The maintenance of Ruby 2.7, including this release, is based on the Agreement for the Ruby stable version of the Ruby Association. - -------------------------------------------------------------------------------- Ruby 3.0.2 Released Posted by nagachika on 7 Jul 2021 Ruby 3.0.2 has been released. This release includes security fixes. Please check the topics below for details. o CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP o CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP o CVE-2021-31799: A command injection vulnerability in RDoc See the commit logs for details. Download o https://cache.ruby-lang.org/pub/ruby/3.0/ruby-3.0.2.tar.gz SIZE: 19941179 SHA1: e00784956ed2083a40e269d8b14e571b8fae9a0f SHA256: 5085dee0ad9f06996a8acec7ebea4a8735e6fac22f22e2d98c3f2bc3bef7e6f1 SHA512: e1fba6f5429b5fca9c3f52a32535615fcf95fafa415efc71c46db4cce159f249112c01574c305026be5c50140335696042e47a74194caea045acbfaa4da738cd o https://cache.ruby-lang.org/pub/ruby/3.0/ruby-3.0.2.tar.xz SIZE: 14746080 SHA1: cd04711ed3adecbe244c3b4391e67430d11fa9f8 SHA256: 570e7773100f625599575f363831166d91d49a1ab97d3ab6495af44774155c40 SHA512: 0f702e2d8ca1342a9d4284dbdd234a3588e057b92566353aa7c21835cf09a3932864b2acf459a976960a1704e9befa562155d36b98b7cda8bd99526e10a374c4 o https://cache.ruby-lang.org/pub/ruby/3.0/ruby-3.0.2.zip SIZE: 24293508 SHA1: 9cde469fec5c9f8edd1d055fc4a9cc90b9611700 SHA256: 79e34f7fab000cb64ede8c39724ae240e36ee5905c752d77ec61a067d5e4e1dd SHA512: 2eb1ce4d66b06ccdee835a017c0edd4028fff99a29f4a631ffb5b39289afcb6a88f79eb24cf09e78d2baaa7c3e494448e2701a0a976bb092de6f2929f1934325 Release Comment Many committers, developers, and users who provided bug reports helped us make this release. Thanks for their contributions. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYOZ6RuNLKJtyKPYoAQgLrxAAhcEL2gHe5S4qyIh6Q35IHuAVBG4m3vFK wPSuzTD0UftM/44CrFLz+pXNQWtF2jbNlSyiSto3gyoNrGINnCiJ0FUwBFyfVxM8 jAZWVwDl91qX59qqHe+9Xpq6edH8hBFdNDAW1LGCXT2J2e7CDdmp4laS9IBPY/Ef jy1hse1Grt16w+zVvW2e9kCxo2OD5Dz4lc+6RTAGIp+hZ+ceMR//xnYU2sDBygLs awREJUSsyADGhPuBYbPsP7DXLvlmSUAkVm+AZ3WioRreBnlE/9KqxXSjp/GRGrqQ l8gnjekV0ZUHah2s5h96MHINMl4vQnp258hY0oxGu0lYBzVF0nbDcSln8mkntMHN b/xNhGdgWnMF2Y9j5gKjwpzpJ0sVuOmtPF+85Ocp8oAeIEhX4XtnKD+phxhTifhn p0k0gIyQdSBgSNxzhr4VzP0KfTatMsX+oLq/FJl9Kq0C1Vw2m82n4FB4aqN9svYK JMlv4ibttf3ukQ9zKol2mmQcJ3CQDykDFg/AEldzJu9clCqKnZlfFr2K8LSs3MtS 62AUOxk8J592XnI9XqiDyDX+38YCAqVTlzfckAlgjFMjf5PiJiw2reMCRNxVN0D4 q0ATGx+4idtQfkKVp9GcnhO6Wz3Y2gCADinGIHjeZFddsnv7RyRoFrItuR2PpuWk QjBQVtIWY6g= =Bl9D -----END PGP SIGNATURE-----