Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.2337
Ruby 2.6.8, 2.7.4 and 3.0.2 Released
8 July 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Ruby 2.6.8
Ruby 2.7.4
Ruby 3.0.2
Publisher: Ruby
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Provide Misleading Information -- Unknown/Unspecified
Access Confidential Data -- Unknown/Unspecified
Reduced Security -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2021-32066 CVE-2021-31810 CVE-2021-31799
Reference: ESB-2021.1496
Original Bulletin:
https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-6-8-released/
https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-7-4-released/
https://www.ruby-lang.org/en/news/2021/07/07/ruby-3-0-2-released/
Comment: This bulletin contains three (3) Ruby security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Ruby 2.6.8 Released
Posted by usa on 7 Jul 2021
Ruby 2.6.8 has been released.
This release includes security fixes. Please check the topics below for
details.
o CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
o CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
o CVE-2021-31799: A command injection vulnerability in RDoc
We ordinally do not fix Ruby 2.6 except security fixes, but this release also
includes some regressed bugs and build problem fixes. See the commit logs for
details.
Ruby 2.6 is now under the state of the security maintenance phase, until the
end of March of 2022. After that date, maintenance of Ruby 2.6 will be ended.
We recommend you start planning the migration to newer versions of Ruby, such
as 3.0 or 2.7.
Download
o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.8.tar.bz2
SIZE: 14131671
SHA1: 7d38cacb6a0779f04b9f19f94406da97e95bbec4
SHA256: dac96ca6df8bab5a6fc7778907f42498037f8ce05b63d20779dce3163e9fafe6
SHA512: 51806d48187dfcce269ff904943dd008df800216ad4797f95481bdeecc2fbac40016bc02eabfff32414839ebb2087511d25eebfd6acead1a1d3813be6c10edf7
o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.8.tar.gz
SIZE: 16202660
SHA1: 949dce34bba3ae93fd302fe705017b03d13b69ab
SHA256: 1807b78577bc08596a390e8a41aede37b8512190e05c133b17d0501791a8ca6d
SHA512: 4f8b8736bdae8bb4b2b63d576232d376b4c87239d25bf7aa807d3eeea704cb8b06f465c37050be79b57a52b9bde65a5cc05679dd6df0f443c8e00a19513f882a
o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.8.tar.xz
SIZE: 11599488
SHA1: fa5ad518ef31bbf5c3386dbcec7b57196a1e618e
SHA256: 8262e4663169c85787fdc9bfbd04d9eb86eb2a4b56d7f98373a8fcaa18e593eb
SHA512: d040ad2238523587d8f356fcb796b8b6ad7f8caff7dd6df09e3f7efcbfa0369e33600e78c7f2bc713ae77c040757cce5c4fec223cb9070209f2bf741899c556d
o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.8.zip
SIZE: 19868666
SHA1: ece4908dd84c7aaefbe6b188c0aca39eaedb2a77
SHA256: d5da2d7e1b9a6b570c66b3bb0cfa2de3ce21d002d2385a1fdf7195e2d0d1d5c7
SHA512: 143ee01da2cba85a2dcb394b1a64b18a748aeb0eda4d6d2d83638706ce4bb05f60f3e80a0429878f823437e0dfba285f8080637523a552eb04aca87df63831dc
Release Comment
Many committers, developers, and users who provided bug reports helped us make
this release. Thanks for their contributions.
- --------------------------------------------------------------------------------
Ruby 2.7.4 Released
Posted by usa on 7 Jul 2021
Ruby 2.7.4 has been released.
This release includes security fixes. Please check the topics below for
details.
o CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
o CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
o CVE-2021-31799: A command injection vulnerability in RDoc
See the commit logs for details.
Download
o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.4.tar.bz2
SIZE: 14804934
SHA1: f5bdecded2d68e4f2f0ab1d20137e8b4b0614e52
SHA256: bffa8aec9da392eda98f1c561071bb6e71d217d541c617fc6e3282d79f4e7d48
SHA512: f144c32c9cb0006dfcfa7d297f83f88b881f68c94f0130346c74dfd8758583a68d22accfd0fc9f31db304ab5ff0bc135bfb2868145c0dec1ee6cec5ac6c3725d
o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.4.tar.gz
SIZE: 16915699
SHA1: 86ec4a97bc43370050b5aef8d6ea3ed3938fb344
SHA256: 3043099089608859fc8cce7f9fdccaa1f53a462457e3838ec3b25a7d609fbc5b
SHA512: a317752e9a32c8d1261e67ca89c396722ee779ec8ba4594987812d065b73751f51485a1ede8044aae14b3b16e8d049c6953cef530ae1b82abb135b446c653f8a
o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.4.tar.xz
SIZE: 12067588
SHA1: 6e044d835f9f432cfa9441241c1ef66e3d607cbf
SHA256: 2a80824e0ad6100826b69b9890bf55cfc4cf2b61a1e1330fccbcb30c46cef8d7
SHA512: 2cbb70ecfdd69120e789023ddb2b25cab0d03bc33fdc367a8f74ca8a3ee785c18c8ded9de3ecee627c7e275ffb85147e6abf921b6a61e31851b37c7fedf45bf9
o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.4.zip
SIZE: 20701195
SHA1: 32bdd5288dcc1e531832c14d26ff7cd218b55bc3
SHA256: a4fe29bfc6a8338fe4b017705aa9d3358225ea305359520d4995096a4382034e
SHA512: 2877b809bafe72cba789add85993a1954008012afcfb5fc4645e482478479bb02166b0d5ee12263983a6c828e6970eb1385632409793dcbc5185d7bbc9c4f349
Release Comment
Many committers, developers, and users who provided bug reports helped us make
this release. Thanks for their contributions.
The maintenance of Ruby 2.7, including this release, is based on the
Agreement for the Ruby stable version of the Ruby Association.
- --------------------------------------------------------------------------------
Ruby 3.0.2 Released
Posted by nagachika on 7 Jul 2021
Ruby 3.0.2 has been released.
This release includes security fixes. Please check the topics below for
details.
o CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
o CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
o CVE-2021-31799: A command injection vulnerability in RDoc
See the commit logs for details.
Download
o https://cache.ruby-lang.org/pub/ruby/3.0/ruby-3.0.2.tar.gz
SIZE: 19941179
SHA1: e00784956ed2083a40e269d8b14e571b8fae9a0f
SHA256: 5085dee0ad9f06996a8acec7ebea4a8735e6fac22f22e2d98c3f2bc3bef7e6f1
SHA512: e1fba6f5429b5fca9c3f52a32535615fcf95fafa415efc71c46db4cce159f249112c01574c305026be5c50140335696042e47a74194caea045acbfaa4da738cd
o https://cache.ruby-lang.org/pub/ruby/3.0/ruby-3.0.2.tar.xz
SIZE: 14746080
SHA1: cd04711ed3adecbe244c3b4391e67430d11fa9f8
SHA256: 570e7773100f625599575f363831166d91d49a1ab97d3ab6495af44774155c40
SHA512: 0f702e2d8ca1342a9d4284dbdd234a3588e057b92566353aa7c21835cf09a3932864b2acf459a976960a1704e9befa562155d36b98b7cda8bd99526e10a374c4
o https://cache.ruby-lang.org/pub/ruby/3.0/ruby-3.0.2.zip
SIZE: 24293508
SHA1: 9cde469fec5c9f8edd1d055fc4a9cc90b9611700
SHA256: 79e34f7fab000cb64ede8c39724ae240e36ee5905c752d77ec61a067d5e4e1dd
SHA512: 2eb1ce4d66b06ccdee835a017c0edd4028fff99a29f4a631ffb5b39289afcb6a88f79eb24cf09e78d2baaa7c3e494448e2701a0a976bb092de6f2929f1934325
Release Comment
Many committers, developers, and users who provided bug reports helped us make
this release. Thanks for their contributions.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYOZ6RuNLKJtyKPYoAQgLrxAAhcEL2gHe5S4qyIh6Q35IHuAVBG4m3vFK
wPSuzTD0UftM/44CrFLz+pXNQWtF2jbNlSyiSto3gyoNrGINnCiJ0FUwBFyfVxM8
jAZWVwDl91qX59qqHe+9Xpq6edH8hBFdNDAW1LGCXT2J2e7CDdmp4laS9IBPY/Ef
jy1hse1Grt16w+zVvW2e9kCxo2OD5Dz4lc+6RTAGIp+hZ+ceMR//xnYU2sDBygLs
awREJUSsyADGhPuBYbPsP7DXLvlmSUAkVm+AZ3WioRreBnlE/9KqxXSjp/GRGrqQ
l8gnjekV0ZUHah2s5h96MHINMl4vQnp258hY0oxGu0lYBzVF0nbDcSln8mkntMHN
b/xNhGdgWnMF2Y9j5gKjwpzpJ0sVuOmtPF+85Ocp8oAeIEhX4XtnKD+phxhTifhn
p0k0gIyQdSBgSNxzhr4VzP0KfTatMsX+oLq/FJl9Kq0C1Vw2m82n4FB4aqN9svYK
JMlv4ibttf3ukQ9zKol2mmQcJ3CQDykDFg/AEldzJu9clCqKnZlfFr2K8LSs3MtS
62AUOxk8J592XnI9XqiDyDX+38YCAqVTlzfckAlgjFMjf5PiJiw2reMCRNxVN0D4
q0ATGx+4idtQfkKVp9GcnhO6Wz3Y2gCADinGIHjeZFddsnv7RyRoFrItuR2PpuWk
QjBQVtIWY6g=
=Bl9D
-----END PGP SIGNATURE-----