Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.4000 Ruby security fixes released 25 November 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Ruby Publisher: Ruby Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Denial of Service -- Unknown/Unspecified Provide Misleading Information -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2021-41819 CVE-2021-41817 CVE-2021-41816 Reference: ESB-2021.3892 Original Bulletin: https://www.ruby-lang.org/en/news/2021/11/24/ruby-3-0-3-released/ https://www.ruby-lang.org/en/news/2021/11/24/ruby-2-7-5-released/ https://www.ruby-lang.org/en/news/2021/11/24/ruby-2-6-9-released/ https://www.ruby-lang.org/en/news/2021/11/24/buffer-overrun-in-cgi-escape_html-cve-2021-41816/ Comment: This bulletin contains four (4) Ruby security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Ruby 3.0.3 Released Posted by nagachika on 24 Nov 2021 Ruby 3.0.3 has been released. This release includes security fixes. Please check the topics below for details. o CVE-2021-41817: Regular Expression Denial of Service Vulnerability of Date Parsing Methods o CVE-2021-41816: Buffer Overrun in CGI.escape_html o CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse See the commit logs for details. Download o https://cache.ruby-lang.org/pub/ruby/3.0/ruby-3.0.3.tar.gz SIZE: 20242729 SHA1: 049317b7c6246d6ea86564c3f73a629b766ff634 SHA256: 3586861cb2df56970287f0fd83f274bd92058872d830d15570b36def7f1a92ac SHA512: 39dab51a0d784a38302372b99f96205817d466245202586d22123745761e9cb39db128ec2b984ebc3919b9faf2adf828d19c97d3fb1e56d44be0a81dc5d11b87 o https://cache.ruby-lang.org/pub/ruby/3.0/ruby-3.0.3.tar.xz SIZE: 14991880 SHA1: c1e6dac2b8c08afbbee39e25e325c84e1cab7c17 SHA256: 88cc7f0f021f15c4cd62b1f922e3a401697f7943551fe45b1fdf4f2417a17a9c SHA512: bb9ea426278d5a7ac46595296f03b82d43df8b7db41045cdf85611e05e26c703c53f700494cd7cf5d4c27fa953bdc5c144317d7720812db0a6e3b6f4bc4d2e00 o https://cache.ruby-lang.org/pub/ruby/3.0/ruby-3.0.3.zip SIZE: 24627744 SHA1: 5341ed1602a3289c4857560ead53191895e5c586 SHA256: 0b8370e404550bf736f46307a14eb9306a7868fb8d54e1418ecdaccbaa8ac06f SHA512: 24c2a4f455f90e54f85d9565e392519833b36aefce32dc707e6693994d175c82e84ee6c37ed4a9ddf8840479e7cdfaae714c12bc6923368bb00346d4edd434d8 Release Comment Many committers, developers, and users who provided bug reports helped us make this release. Thanks for their contributions. - --------------------------------------------------------------------------------------------------------------- Ruby 2.7.5 Released Posted by usa on 24 Nov 2021 Ruby 2.7.5 has been released. This release includes security fixes. Please check the topics below for details. o CVE-2021-41817: Regular Expression Denial of Service Vulnerability of Date Parsing Methods o CVE-2021-41816: Buffer Overrun in CGI.escape_html o CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse See the commit logs for details. Download o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.5.tar.bz2 SIZE: 14805180 SHA1: 2a179b601f45172b1cb38e8f157c4e6ce272c22c SHA256: d6b444341a5e06fcd6eaf1feb83a1c0c2da4705dbe4f275ee851761b185f4bd1 SHA512: 0aa2ac44bc22859a39c43d08b7c7f457df05c2dc36b2574fd70ca399143ef1000dc5e496212db9eb055bc4258523d47d26db3c57a1a5a5d63cf1b3de9f81645a o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.5.tar.gz SIZE: 16923709 SHA1: c2d0f6c793f9e673f9fb22276d32f8c395ec5581 SHA256: 2755b900a21235b443bb16dadd9032f784d4a88f143d852bc5d154f22b8781f1 SHA512: 09e029b5cc15b6e4e37bcf15adb28213eaedec3ea22106d63095b37ea6b2a2b68e82e74e6b50746c87dd77e5185795d014e0db118bf0f45ffa0b0a307f5f65da o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.5.tar.xz SIZE: 12072980 SHA1: 1d04fbf24150eaa1297a7ef4c7057ec0a9dca527 SHA256: d216d95190eaacf3bf165303747b02ff13f10b6cfab67a9031b502a49512b516 SHA512: 21c8a713e3ce115fc4c405113ac691ddcefc3419f528b93ca1ac59e7052c1b6e9e241da0e570e291e567f28f3d840824dbcc5967b216cbe7d6ca7a05580fa311 o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.5.zip SIZE: 20702176 SHA1: 541b34fa5e7e55b6269a2bfa67e2a06ad0dcb571 SHA256: 3793d764ec8da68203eba1a7fe338fae9bafa8226cce911c8648c1b7c32ba9c2 SHA512: fe9a706f8139e59a40ab205dc88cdc613c9c69186cb2daeb5adc80bdf45290a523fa7e3fd0866fa12325039ba413ff1e1f4233073d352da08079dc903063b31a Release Comment Many committers, developers, and users who provided bug reports helped us make this release. Thanks for their contributions. The maintenance of Ruby 2.7, including this release, is based on the Agreement for the Ruby stable version of the Ruby Association. - --------------------------------------------------------------------------------------------------------------- Ruby 2.6.9 Released Posted by usa on 24 Nov 2021 Ruby 2.6.9 has been released. This release includes security fixes. Please check the topics below for details. o CVE-2021-41817: Regular Expression Denial of Service Vulnerability of Date Parsing Methods o CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse See the commit logs for details. Ruby 2.6 is now under the state of the security maintenance phase, until the end of March of 2022. After that date, maintenance of Ruby 2.6 will be ended. We recommend you start planning the migration to newer versions of Ruby, such as 3.0 or 2.7. Download o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.9.tar.bz2 SIZE: 14137792 SHA1: a482c36645e7ff4596c6aca2cf96d15481fcfc5e SHA256: a0639060c4519572e51828eb742f09dd40f154c820f6007246de7a2090e3ee45 SHA512: ff067ebc059094c0a9a0debf54a37aad2c85f7ed47be59299041c9c03a7701529f5063ff32a1b8c56d48ee8585015acba63602ed0176b2797d263d43d67aa241 o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.9.tar.gz SIZE: 16202802 SHA1: 00e69747e7e2b87155c65b4003470313e4403b0a SHA256: eb7bae7aac64bf9eb2153710a4cafae450ccbb62ae6f63d573e1786178b0efbb SHA512: 24bd6c8f528907349bcf392ed75a2d767b93a35a9f4c839267873d1dde862d3292d1682e0edc56c078a2690de76a045ef866f54eab8a330a18771f0b234c5993 o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.9.tar.xz SIZE: 11590064 SHA1: fc67ca162010aac4af49d73a8c48be5cb2fb5907 SHA256: 6a041d82ae6e0f02ccb1465e620d94a7196489d8a13d6018a160da42ebc1eece SHA512: f60aa89e685cea324185eb0d13e6b44caef4e4f761cbf9ea1386ae70e39faf3866ac01e4bb5354574f2583e74290b8c80eaf63d126040d52368be6c771476451 o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.9.zip SIZE: 19869379 SHA1: 41a60c783306f4b47b867bd19d16688b546b8e3a SHA256: 2480dbdc72d3dc832d8254e938e4861ca54a5337edd6f358e5202fd2a5339eec SHA512: 9073e0fc5040434f15158f24c6a551286bc5f1c4c1cb54d6e3debb4ac039187a4f274a217bdb5c8489c72360c65d708f89eb0f2472a1f9232fcfee8e296dec57 Release Comment Many committers, developers, and users who provided bug reports helped us make this release. Thanks for their contributions. - --------------------------------------------------------------------------------------------------------------- CVE-2021-41816: Buffer Overrun in CGI.escape_html Posted by mame on 24 Nov 2021 A buffer overrun vulnerability was discovered in CGI.escape_html. This vulnerability has been assigned the CVE identifier CVE-2021-41816 . We strongly recommend upgrading Ruby. Details A security vulnerability that causes buffer overflow when you pass a very large string (> 700 MB) to CGI.escape_html on a platform where long type takes 4 bytes, typically, Windows. Please update the cgi gem to version 0.3.1, 0.2,1, and 0.1,1 or later. You can use gem update cgi to update it. If you are using bundler, please add gem "cgi", ">= 0.3.1" to your Gemfile . Alternatively, please update Ruby to 2.7.5 or 3.0.3. This issue has been introduced since Ruby 2.7, so the cgi version bundled with Ruby 2.6 is not vulnerable. Affected versions o cgi gem 0.1.0 or prior (which are bundled versions with Ruby 2.7 series prior to Ruby 2.7.5) o cgi gem 0.2.0 or prior (which are bundled versions with Ruby 3.0 series prior to Ruby 3.0.3) o cgi gem 0.3.0 or prior Credits Thanks to chamal for discovering this issue. History o Originally published at 2021-11-24 12:00:00 (UTC) - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYZ7eqONLKJtyKPYoAQg+3A//W3bww/1Jcx42EBGGaEzTBgiCMfhrEBMa ivKeld9spo1VmpZIhT1j7+ej4DK4KDQldKDqIzCmUZPE602Zb6pSxmW/2STTLzYi RXLJ2Y8zqAumTJmQQh2noNs/u7HgyuFO73c2XEv6HM7wA0Ef9yj2TFqum0gedPbJ yRQEd/j99ICJ/xOnxLiTyg2QrPSbkvCL0KCgcDPWCp3pngXRC7PKeGfOZRw165jE +2r/YcWZ2T+XYgTXvz3vlo2CmkHOkGmFMPwXaEbpnX3hVkDdJV9a2XdRd//HGXAf OWTtQzQeAqX30gGU8u//8AzqyHoDrKh4q8TxOaVaLnnIXxH5VhPEF8aXdQ3i6pYE nMUTG4kPvTcvLm9PvIvlsmwNRvWONu8sMqRZqwAKefm4WRwp9vp77F30wvl8pLtB 6xgDLCKe0xTi+bxHD3TfxnXBPqP9VzVnppzy4a1EqsIuZL+XUYTlqoqfPDdGX+Gi N9LptJK6DNvZRw/nN+mlHtLnTIjkY8xwoeyeJYEge9yKidDCrRe7oZu3LH9vmAnf QZKCXjBaFVPKokzMeFT60h6BGSE/aXfKM5JB+mZ2BLr7Jz/hO54Kx1DOEaf14hd4 5oTOtsJrdwxbD4v8Ikf9m+yx8CNy6qsM7EMHhCnfPp1w0vcSq8F5s3MOEs2vSWXk qzN0TKstwDA= =bbd9 -----END PGP SIGNATURE-----