Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.4000
Ruby security fixes released
25 November 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Ruby
Publisher: Ruby
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Denial of Service -- Unknown/Unspecified
Provide Misleading Information -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2021-41819 CVE-2021-41817 CVE-2021-41816
Reference: ESB-2021.3892
Original Bulletin:
https://www.ruby-lang.org/en/news/2021/11/24/ruby-3-0-3-released/
https://www.ruby-lang.org/en/news/2021/11/24/ruby-2-7-5-released/
https://www.ruby-lang.org/en/news/2021/11/24/ruby-2-6-9-released/
https://www.ruby-lang.org/en/news/2021/11/24/buffer-overrun-in-cgi-escape_html-cve-2021-41816/
Comment: This bulletin contains four (4) Ruby security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Ruby 3.0.3 Released
Posted by nagachika on 24 Nov 2021
Ruby 3.0.3 has been released.
This release includes security fixes. Please check the topics below for
details.
o CVE-2021-41817: Regular Expression Denial of Service Vulnerability of Date
Parsing Methods
o CVE-2021-41816: Buffer Overrun in CGI.escape_html
o CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse
See the commit logs for details.
Download
o https://cache.ruby-lang.org/pub/ruby/3.0/ruby-3.0.3.tar.gz
SIZE: 20242729
SHA1: 049317b7c6246d6ea86564c3f73a629b766ff634
SHA256: 3586861cb2df56970287f0fd83f274bd92058872d830d15570b36def7f1a92ac
SHA512: 39dab51a0d784a38302372b99f96205817d466245202586d22123745761e9cb39db128ec2b984ebc3919b9faf2adf828d19c97d3fb1e56d44be0a81dc5d11b87
o https://cache.ruby-lang.org/pub/ruby/3.0/ruby-3.0.3.tar.xz
SIZE: 14991880
SHA1: c1e6dac2b8c08afbbee39e25e325c84e1cab7c17
SHA256: 88cc7f0f021f15c4cd62b1f922e3a401697f7943551fe45b1fdf4f2417a17a9c
SHA512: bb9ea426278d5a7ac46595296f03b82d43df8b7db41045cdf85611e05e26c703c53f700494cd7cf5d4c27fa953bdc5c144317d7720812db0a6e3b6f4bc4d2e00
o https://cache.ruby-lang.org/pub/ruby/3.0/ruby-3.0.3.zip
SIZE: 24627744
SHA1: 5341ed1602a3289c4857560ead53191895e5c586
SHA256: 0b8370e404550bf736f46307a14eb9306a7868fb8d54e1418ecdaccbaa8ac06f
SHA512: 24c2a4f455f90e54f85d9565e392519833b36aefce32dc707e6693994d175c82e84ee6c37ed4a9ddf8840479e7cdfaae714c12bc6923368bb00346d4edd434d8
Release Comment
Many committers, developers, and users who provided bug reports helped us make
this release. Thanks for their contributions.
- ---------------------------------------------------------------------------------------------------------------
Ruby 2.7.5 Released
Posted by usa on 24 Nov 2021
Ruby 2.7.5 has been released.
This release includes security fixes. Please check the topics below for
details.
o CVE-2021-41817: Regular Expression Denial of Service Vulnerability of Date
Parsing Methods
o CVE-2021-41816: Buffer Overrun in CGI.escape_html
o CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse
See the commit logs for details.
Download
o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.5.tar.bz2
SIZE: 14805180
SHA1: 2a179b601f45172b1cb38e8f157c4e6ce272c22c
SHA256: d6b444341a5e06fcd6eaf1feb83a1c0c2da4705dbe4f275ee851761b185f4bd1
SHA512: 0aa2ac44bc22859a39c43d08b7c7f457df05c2dc36b2574fd70ca399143ef1000dc5e496212db9eb055bc4258523d47d26db3c57a1a5a5d63cf1b3de9f81645a
o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.5.tar.gz
SIZE: 16923709
SHA1: c2d0f6c793f9e673f9fb22276d32f8c395ec5581
SHA256: 2755b900a21235b443bb16dadd9032f784d4a88f143d852bc5d154f22b8781f1
SHA512: 09e029b5cc15b6e4e37bcf15adb28213eaedec3ea22106d63095b37ea6b2a2b68e82e74e6b50746c87dd77e5185795d014e0db118bf0f45ffa0b0a307f5f65da
o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.5.tar.xz
SIZE: 12072980
SHA1: 1d04fbf24150eaa1297a7ef4c7057ec0a9dca527
SHA256: d216d95190eaacf3bf165303747b02ff13f10b6cfab67a9031b502a49512b516
SHA512: 21c8a713e3ce115fc4c405113ac691ddcefc3419f528b93ca1ac59e7052c1b6e9e241da0e570e291e567f28f3d840824dbcc5967b216cbe7d6ca7a05580fa311
o https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.5.zip
SIZE: 20702176
SHA1: 541b34fa5e7e55b6269a2bfa67e2a06ad0dcb571
SHA256: 3793d764ec8da68203eba1a7fe338fae9bafa8226cce911c8648c1b7c32ba9c2
SHA512: fe9a706f8139e59a40ab205dc88cdc613c9c69186cb2daeb5adc80bdf45290a523fa7e3fd0866fa12325039ba413ff1e1f4233073d352da08079dc903063b31a
Release Comment
Many committers, developers, and users who provided bug reports helped us make
this release. Thanks for their contributions.
The maintenance of Ruby 2.7, including this release, is based on the
Agreement for the Ruby stable version of the Ruby Association.
- ---------------------------------------------------------------------------------------------------------------
Ruby 2.6.9 Released
Posted by usa on 24 Nov 2021
Ruby 2.6.9 has been released.
This release includes security fixes. Please check the topics below for
details.
o CVE-2021-41817: Regular Expression Denial of Service Vulnerability of Date
Parsing Methods
o CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse
See the commit logs for details.
Ruby 2.6 is now under the state of the security maintenance phase, until the
end of March of 2022. After that date, maintenance of Ruby 2.6 will be ended.
We recommend you start planning the migration to newer versions of Ruby, such
as 3.0 or 2.7.
Download
o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.9.tar.bz2
SIZE: 14137792
SHA1: a482c36645e7ff4596c6aca2cf96d15481fcfc5e
SHA256: a0639060c4519572e51828eb742f09dd40f154c820f6007246de7a2090e3ee45
SHA512: ff067ebc059094c0a9a0debf54a37aad2c85f7ed47be59299041c9c03a7701529f5063ff32a1b8c56d48ee8585015acba63602ed0176b2797d263d43d67aa241
o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.9.tar.gz
SIZE: 16202802
SHA1: 00e69747e7e2b87155c65b4003470313e4403b0a
SHA256: eb7bae7aac64bf9eb2153710a4cafae450ccbb62ae6f63d573e1786178b0efbb
SHA512: 24bd6c8f528907349bcf392ed75a2d767b93a35a9f4c839267873d1dde862d3292d1682e0edc56c078a2690de76a045ef866f54eab8a330a18771f0b234c5993
o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.9.tar.xz
SIZE: 11590064
SHA1: fc67ca162010aac4af49d73a8c48be5cb2fb5907
SHA256: 6a041d82ae6e0f02ccb1465e620d94a7196489d8a13d6018a160da42ebc1eece
SHA512: f60aa89e685cea324185eb0d13e6b44caef4e4f761cbf9ea1386ae70e39faf3866ac01e4bb5354574f2583e74290b8c80eaf63d126040d52368be6c771476451
o https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.9.zip
SIZE: 19869379
SHA1: 41a60c783306f4b47b867bd19d16688b546b8e3a
SHA256: 2480dbdc72d3dc832d8254e938e4861ca54a5337edd6f358e5202fd2a5339eec
SHA512: 9073e0fc5040434f15158f24c6a551286bc5f1c4c1cb54d6e3debb4ac039187a4f274a217bdb5c8489c72360c65d708f89eb0f2472a1f9232fcfee8e296dec57
Release Comment
Many committers, developers, and users who provided bug reports helped us make
this release. Thanks for their contributions.
- ---------------------------------------------------------------------------------------------------------------
CVE-2021-41816: Buffer Overrun in CGI.escape_html
Posted by mame on 24 Nov 2021
A buffer overrun vulnerability was discovered in CGI.escape_html. This
vulnerability has been assigned the CVE identifier CVE-2021-41816 . We strongly
recommend upgrading Ruby.
Details
A security vulnerability that causes buffer overflow when you pass a very large
string (> 700 MB) to CGI.escape_html on a platform where long type takes 4
bytes, typically, Windows.
Please update the cgi gem to version 0.3.1, 0.2,1, and 0.1,1 or later. You can
use gem update cgi to update it. If you are using bundler, please add gem
"cgi", ">= 0.3.1" to your Gemfile . Alternatively, please update Ruby to 2.7.5
or 3.0.3.
This issue has been introduced since Ruby 2.7, so the cgi version bundled with
Ruby 2.6 is not vulnerable.
Affected versions
o cgi gem 0.1.0 or prior (which are bundled versions with Ruby 2.7 series
prior to Ruby 2.7.5)
o cgi gem 0.2.0 or prior (which are bundled versions with Ruby 3.0 series
prior to Ruby 3.0.3)
o cgi gem 0.3.0 or prior
Credits
Thanks to chamal for discovering this issue.
History
o Originally published at 2021-11-24 12:00:00 (UTC)
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYZ7eqONLKJtyKPYoAQg+3A//W3bww/1Jcx42EBGGaEzTBgiCMfhrEBMa
ivKeld9spo1VmpZIhT1j7+ej4DK4KDQldKDqIzCmUZPE602Zb6pSxmW/2STTLzYi
RXLJ2Y8zqAumTJmQQh2noNs/u7HgyuFO73c2XEv6HM7wA0Ef9yj2TFqum0gedPbJ
yRQEd/j99ICJ/xOnxLiTyg2QrPSbkvCL0KCgcDPWCp3pngXRC7PKeGfOZRw165jE
+2r/YcWZ2T+XYgTXvz3vlo2CmkHOkGmFMPwXaEbpnX3hVkDdJV9a2XdRd//HGXAf
OWTtQzQeAqX30gGU8u//8AzqyHoDrKh4q8TxOaVaLnnIXxH5VhPEF8aXdQ3i6pYE
nMUTG4kPvTcvLm9PvIvlsmwNRvWONu8sMqRZqwAKefm4WRwp9vp77F30wvl8pLtB
6xgDLCKe0xTi+bxHD3TfxnXBPqP9VzVnppzy4a1EqsIuZL+XUYTlqoqfPDdGX+Gi
N9LptJK6DNvZRw/nN+mlHtLnTIjkY8xwoeyeJYEge9yKidDCrRe7oZu3LH9vmAnf
QZKCXjBaFVPKokzMeFT60h6BGSE/aXfKM5JB+mZ2BLr7Jz/hO54Kx1DOEaf14hd4
5oTOtsJrdwxbD4v8Ikf9m+yx8CNy6qsM7EMHhCnfPp1w0vcSq8F5s3MOEs2vSWXk
qzN0TKstwDA=
=bbd9
-----END PGP SIGNATURE-----