SUSE-SU-2020:1570-1: important: Security update for ruby2.1
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Tue Jun 9 07:20:02 MDT 2020
SUSE Security Update: Security update for ruby2.1
______________________________________________________________________________
Announcement ID: SUSE-SU-2020:1570-1
Rating: important
References: #1043983 #1048072 #1055265 #1056286 #1056782
#1058754 #1058755 #1058757 #1062452 #1069607
#1069632 #1073002 #1078782 #1082007 #1082008
#1082009 #1082010 #1082011 #1082014 #1082058
#1087433 #1087434 #1087436 #1087437 #1087440
#1087441 #1112530 #1112532 #1130611 #1130617
#1130620 #1130622 #1130623 #1130627 #1152990
#1152992 #1152994 #1152995 #1171517 #1172275
Cross-References: CVE-2015-9096 CVE-2016-2339 CVE-2016-7798
CVE-2017-0898 CVE-2017-0899 CVE-2017-0900
CVE-2017-0901 CVE-2017-0902 CVE-2017-0903
CVE-2017-10784 CVE-2017-14033 CVE-2017-14064
CVE-2017-17405 CVE-2017-17742 CVE-2017-17790
CVE-2017-9228 CVE-2017-9229 CVE-2018-1000073
CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076
CVE-2018-1000077 CVE-2018-1000078 CVE-2018-1000079
CVE-2018-16395 CVE-2018-16396 CVE-2018-6914
CVE-2018-8777 CVE-2018-8778 CVE-2018-8779
CVE-2018-8780 CVE-2019-15845 CVE-2019-16201
CVE-2019-16254 CVE-2019-16255 CVE-2019-8320
CVE-2019-8321 CVE-2019-8322 CVE-2019-8323
CVE-2019-8324 CVE-2019-8325 CVE-2020-10663
Affected Products:
SUSE OpenStack Cloud Crowbar 8
SUSE OpenStack Cloud 8
SUSE OpenStack Cloud 7
SUSE Linux Enterprise Software Development Kit 12-SP5
SUSE Linux Enterprise Software Development Kit 12-SP4
SUSE Linux Enterprise Server for SAP 12-SP3
SUSE Linux Enterprise Server for SAP 12-SP2
SUSE Linux Enterprise Server 12-SP5
SUSE Linux Enterprise Server 12-SP4
SUSE Linux Enterprise Server 12-SP3-LTSS
SUSE Linux Enterprise Server 12-SP3-BCL
SUSE Linux Enterprise Server 12-SP2-LTSS
SUSE Linux Enterprise Server 12-SP2-BCL
SUSE Enterprise Storage 5
HPE Helion Openstack 8
______________________________________________________________________________
An update that fixes 42 vulnerabilities is now available.
Description:
This update for ruby2.1 fixes the following issues:
Security issues fixed:
- CVE-2015-9096: Fixed an SMTP command injection via CRLFsequences in a
RCPT TO or MAIL FROM command (bsc#1043983).
- CVE-2016-7798: Fixed an IV Reuse in GCM Mode (bsc#1055265).
- CVE-2017-0898: Fixed a buffer underrun vulnerability in Kernel.sprintf
(bsc#1058755).
- CVE-2017-0899: Fixed an issue with malicious gem specifications,
insufficient sanitation when printing gem specifications could have
included terminal characters (bsc#1056286).
- CVE-2017-0900: Fixed an issue with malicious gem specifications, the
query command could have led to a denial of service attack against
clients (bsc#1056286).
- CVE-2017-0901: Fixed an issue with malicious gem specifications,
potentially overwriting arbitrary files on the client system
(bsc#1056286).
- CVE-2017-0902: Fixed an issue with malicious gem specifications, that
could have enabled MITM attacks against clients (bsc#1056286).
- CVE-2017-0903: Fixed an unsafe object deserialization vulnerability
(bsc#1062452).
- CVE-2017-9228: Fixed a heap out-of-bounds write in bitset_set_range()
during regex compilation (bsc#1069607).
- CVE-2017-9229: Fixed an invalid pointer dereference in
left_adjust_char_head() in oniguruma (bsc#1069632).
- CVE-2017-10784: Fixed an escape sequence injection vulnerability in the
Basic authentication of WEBrick (bsc#1058754).
- CVE-2017-14033: Fixed a buffer underrun vulnerability in OpenSSL ASN1
decode (bsc#1058757).
- CVE-2017-14064: Fixed an arbitrary memory exposure during a
JSON.generate call (bsc#1056782).
- CVE-2017-17405: Fixed a command injection vulnerability in Net::FTP
(bsc#1073002).
- CVE-2017-17742: Fixed an HTTP response splitting issue in WEBrick
(bsc#1087434).
- CVE-2017-17790: Fixed a command injection in
lib/resolv.rb:lazy_initialize() (bsc#1078782).
- CVE-2018-6914: Fixed an unintentional file and directory creation with
directory traversal in tempfile and tmpdir (bsc#1087441).
- CVE-2018-8777: Fixed a potential DoS caused by large requests in WEBrick
(bsc#1087436).
- CVE-2018-8778: Fixed a buffer under-read in String#unpack (bsc#1087433).
- CVE-2018-8779: Fixed an unintentional socket creation by poisoned NUL
byte in UNIXServer and UNIXSocket (bsc#1087440).
- CVE-2018-8780: Fixed an unintentional directory traversal by poisoned
NUL byte in Dir (bsc#1087437).
- CVE-2018-16395: Fixed an issue with OpenSSL::X509::Name equality
checking (bsc#1112530).
- CVE-2018-16396: Fixed an issue with tainted string handling, where the
flag was not propagated in Array#pack and String#unpack with some
directives (bsc#1112532).
- CVE-2018-1000073: Fixed a path traversal issue (bsc#1082007).
- CVE-2018-1000074: Fixed an unsafe object deserialization vulnerability
in gem owner, allowing arbitrary code execution with specially crafted
YAML (bsc#1082008).
- CVE-2018-1000075: Fixed an infinite loop vulnerability due to negative
size in tar header causes Denial of Service (bsc#1082014).
- CVE-2018-1000076: Fixed an improper verification of signatures in
tarballs (bsc#1082009).
- CVE-2018-1000077: Fixed an improper URL validation in the homepage
attribute of ruby gems (bsc#1082010).
- CVE-2018-1000078: Fixed a XSS vulnerability in the homepage attribute
when displayed via gem server (bsc#1082011).
- CVE-2018-1000079: Fixed a path traversal issue during gem installation
allows to write to arbitrary filesystem locations (bsc#1082058).
- CVE-2019-8320: Fixed a directory traversal issue when decompressing tar
files (bsc#1130627).
- CVE-2019-8321: Fixed an escape sequence injection vulnerability in
verbose (bsc#1130623).
- CVE-2019-8322: Fixed an escape sequence injection vulnerability in gem
owner (bsc#1130622).
- CVE-2019-8323: Fixed an escape sequence injection vulnerability in API
response handling (bsc#1130620).
- CVE-2019-8324: Fixed an issue with malicious gems that may have led to
arbitrary code execution (bsc#1130617).
- CVE-2019-8325: Fixed an escape sequence injection vulnerability in
errors (bsc#1130611).
- CVE-2019-15845: Fixed a NUL injection vulnerability in File.fnmatch and
File.fnmatch? (bsc#1152994).
- CVE-2019-16201: Fixed a regular expression denial of service
vulnerability in WEBrick's digest access authentication (bsc#1152995).
- CVE-2019-16254: Fixed an HTTP response splitting vulnerability in
WEBrick (bsc#1152992).
- CVE-2019-16255: Fixed a code injection vulnerability in Shell#[] and
Shell#test (bsc#1152990).
- CVE-2020-10663: Fixed an unsafe object creation vulnerability in JSON
(bsc#1171517).
Non-security issue fixed:
- Add conflicts to libruby to make sure ruby and ruby-stdlib are also
updated when libruby is updated (bsc#1048072).
Also yast2-ruby-bindings on SLES 12 SP2 LTSS was updated to handle the
updated ruby interpreter. (bsc#1172275)
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE OpenStack Cloud Crowbar 8:
zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1570=1
- SUSE OpenStack Cloud 8:
zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1570=1
- SUSE OpenStack Cloud 7:
zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1570=1
- SUSE Linux Enterprise Software Development Kit 12-SP5:
zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1570=1
- SUSE Linux Enterprise Software Development Kit 12-SP4:
zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1570=1
- SUSE Linux Enterprise Server for SAP 12-SP3:
zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1570=1
- SUSE Linux Enterprise Server for SAP 12-SP2:
zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1570=1
- SUSE Linux Enterprise Server 12-SP5:
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1570=1
- SUSE Linux Enterprise Server 12-SP4:
zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1570=1
- SUSE Linux Enterprise Server 12-SP3-LTSS:
zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1570=1
- SUSE Linux Enterprise Server 12-SP3-BCL:
zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1570=1
- SUSE Linux Enterprise Server 12-SP2-LTSS:
zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1570=1
- SUSE Linux Enterprise Server 12-SP2-BCL:
zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1570=1
- SUSE Enterprise Storage 5:
zypper in -t patch SUSE-Storage-5-2020-1570=1
- HPE Helion Openstack 8:
zypper in -t patch HPE-Helion-OpenStack-8-2020-1570=1
Package List:
- SUSE OpenStack Cloud Crowbar 8 (x86_64):
libruby2_1-2_1-2.1.9-19.3.2
libruby2_1-2_1-debuginfo-2.1.9-19.3.2
ruby2.1-2.1.9-19.3.2
ruby2.1-debuginfo-2.1.9-19.3.2
ruby2.1-debugsource-2.1.9-19.3.2
ruby2.1-stdlib-2.1.9-19.3.2
ruby2.1-stdlib-debuginfo-2.1.9-19.3.2
- SUSE OpenStack Cloud 8 (x86_64):
libruby2_1-2_1-2.1.9-19.3.2
libruby2_1-2_1-debuginfo-2.1.9-19.3.2
ruby2.1-2.1.9-19.3.2
ruby2.1-debuginfo-2.1.9-19.3.2
ruby2.1-debugsource-2.1.9-19.3.2
ruby2.1-stdlib-2.1.9-19.3.2
ruby2.1-stdlib-debuginfo-2.1.9-19.3.2
- SUSE OpenStack Cloud 7 (s390x x86_64):
libruby2_1-2_1-2.1.9-19.3.2
libruby2_1-2_1-debuginfo-2.1.9-19.3.2
ruby2.1-2.1.9-19.3.2
ruby2.1-debuginfo-2.1.9-19.3.2
ruby2.1-debugsource-2.1.9-19.3.2
ruby2.1-stdlib-2.1.9-19.3.2
ruby2.1-stdlib-debuginfo-2.1.9-19.3.2
yast2-ruby-bindings-3.1.53-9.8.1
yast2-ruby-bindings-debuginfo-3.1.53-9.8.1
yast2-ruby-bindings-debugsource-3.1.53-9.8.1
- SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64):
ruby2.1-debuginfo-2.1.9-19.3.2
ruby2.1-debugsource-2.1.9-19.3.2
ruby2.1-devel-2.1.9-19.3.2
- SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64):
ruby2.1-debuginfo-2.1.9-19.3.2
ruby2.1-debugsource-2.1.9-19.3.2
ruby2.1-devel-2.1.9-19.3.2
- SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64):
libruby2_1-2_1-2.1.9-19.3.2
libruby2_1-2_1-debuginfo-2.1.9-19.3.2
ruby2.1-2.1.9-19.3.2
ruby2.1-debuginfo-2.1.9-19.3.2
ruby2.1-debugsource-2.1.9-19.3.2
ruby2.1-stdlib-2.1.9-19.3.2
ruby2.1-stdlib-debuginfo-2.1.9-19.3.2
- SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64):
libruby2_1-2_1-2.1.9-19.3.2
libruby2_1-2_1-debuginfo-2.1.9-19.3.2
ruby2.1-2.1.9-19.3.2
ruby2.1-debuginfo-2.1.9-19.3.2
ruby2.1-debugsource-2.1.9-19.3.2
ruby2.1-stdlib-2.1.9-19.3.2
ruby2.1-stdlib-debuginfo-2.1.9-19.3.2
yast2-ruby-bindings-3.1.53-9.8.1
yast2-ruby-bindings-debuginfo-3.1.53-9.8.1
yast2-ruby-bindings-debugsource-3.1.53-9.8.1
- SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64):
libruby2_1-2_1-2.1.9-19.3.2
libruby2_1-2_1-debuginfo-2.1.9-19.3.2
ruby2.1-2.1.9-19.3.2
ruby2.1-debuginfo-2.1.9-19.3.2
ruby2.1-debugsource-2.1.9-19.3.2
ruby2.1-stdlib-2.1.9-19.3.2
ruby2.1-stdlib-debuginfo-2.1.9-19.3.2
- SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64):
libruby2_1-2_1-2.1.9-19.3.2
libruby2_1-2_1-debuginfo-2.1.9-19.3.2
ruby2.1-2.1.9-19.3.2
ruby2.1-debuginfo-2.1.9-19.3.2
ruby2.1-debugsource-2.1.9-19.3.2
ruby2.1-stdlib-2.1.9-19.3.2
ruby2.1-stdlib-debuginfo-2.1.9-19.3.2
- SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64):
libruby2_1-2_1-2.1.9-19.3.2
libruby2_1-2_1-debuginfo-2.1.9-19.3.2
ruby2.1-2.1.9-19.3.2
ruby2.1-debuginfo-2.1.9-19.3.2
ruby2.1-debugsource-2.1.9-19.3.2
ruby2.1-stdlib-2.1.9-19.3.2
ruby2.1-stdlib-debuginfo-2.1.9-19.3.2
- SUSE Linux Enterprise Server 12-SP3-BCL (x86_64):
libruby2_1-2_1-2.1.9-19.3.2
libruby2_1-2_1-debuginfo-2.1.9-19.3.2
ruby2.1-2.1.9-19.3.2
ruby2.1-debuginfo-2.1.9-19.3.2
ruby2.1-debugsource-2.1.9-19.3.2
ruby2.1-stdlib-2.1.9-19.3.2
ruby2.1-stdlib-debuginfo-2.1.9-19.3.2
- SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64):
libruby2_1-2_1-2.1.9-19.3.2
libruby2_1-2_1-debuginfo-2.1.9-19.3.2
ruby2.1-2.1.9-19.3.2
ruby2.1-debuginfo-2.1.9-19.3.2
ruby2.1-debugsource-2.1.9-19.3.2
ruby2.1-stdlib-2.1.9-19.3.2
ruby2.1-stdlib-debuginfo-2.1.9-19.3.2
yast2-ruby-bindings-3.1.53-9.8.1
yast2-ruby-bindings-debuginfo-3.1.53-9.8.1
yast2-ruby-bindings-debugsource-3.1.53-9.8.1
- SUSE Linux Enterprise Server 12-SP2-BCL (x86_64):
libruby2_1-2_1-2.1.9-19.3.2
libruby2_1-2_1-debuginfo-2.1.9-19.3.2
ruby2.1-2.1.9-19.3.2
ruby2.1-debuginfo-2.1.9-19.3.2
ruby2.1-debugsource-2.1.9-19.3.2
ruby2.1-stdlib-2.1.9-19.3.2
ruby2.1-stdlib-debuginfo-2.1.9-19.3.2
yast2-ruby-bindings-3.1.53-9.8.1
yast2-ruby-bindings-debuginfo-3.1.53-9.8.1
yast2-ruby-bindings-debugsource-3.1.53-9.8.1
- SUSE Enterprise Storage 5 (aarch64 x86_64):
libruby2_1-2_1-2.1.9-19.3.2
libruby2_1-2_1-debuginfo-2.1.9-19.3.2
ruby2.1-2.1.9-19.3.2
ruby2.1-debuginfo-2.1.9-19.3.2
ruby2.1-debugsource-2.1.9-19.3.2
ruby2.1-stdlib-2.1.9-19.3.2
ruby2.1-stdlib-debuginfo-2.1.9-19.3.2
- HPE Helion Openstack 8 (x86_64):
libruby2_1-2_1-2.1.9-19.3.2
libruby2_1-2_1-debuginfo-2.1.9-19.3.2
ruby2.1-2.1.9-19.3.2
ruby2.1-debuginfo-2.1.9-19.3.2
ruby2.1-debugsource-2.1.9-19.3.2
ruby2.1-stdlib-2.1.9-19.3.2
ruby2.1-stdlib-debuginfo-2.1.9-19.3.2
References:
https://www.suse.com/security/cve/CVE-2015-9096.html
https://www.suse.com/security/cve/CVE-2016-2339.html
https://www.suse.com/security/cve/CVE-2016-7798.html
https://www.suse.com/security/cve/CVE-2017-0898.html
https://www.suse.com/security/cve/CVE-2017-0899.html
https://www.suse.com/security/cve/CVE-2017-0900.html
https://www.suse.com/security/cve/CVE-2017-0901.html
https://www.suse.com/security/cve/CVE-2017-0902.html
https://www.suse.com/security/cve/CVE-2017-0903.html
https://www.suse.com/security/cve/CVE-2017-10784.html
https://www.suse.com/security/cve/CVE-2017-14033.html
https://www.suse.com/security/cve/CVE-2017-14064.html
https://www.suse.com/security/cve/CVE-2017-17405.html
https://www.suse.com/security/cve/CVE-2017-17742.html
https://www.suse.com/security/cve/CVE-2017-17790.html
https://www.suse.com/security/cve/CVE-2017-9228.html
https://www.suse.com/security/cve/CVE-2017-9229.html
https://www.suse.com/security/cve/CVE-2018-1000073.html
https://www.suse.com/security/cve/CVE-2018-1000074.html
https://www.suse.com/security/cve/CVE-2018-1000075.html
https://www.suse.com/security/cve/CVE-2018-1000076.html
https://www.suse.com/security/cve/CVE-2018-1000077.html
https://www.suse.com/security/cve/CVE-2018-1000078.html
https://www.suse.com/security/cve/CVE-2018-1000079.html
https://www.suse.com/security/cve/CVE-2018-16395.html
https://www.suse.com/security/cve/CVE-2018-16396.html
https://www.suse.com/security/cve/CVE-2018-6914.html
https://www.suse.com/security/cve/CVE-2018-8777.html
https://www.suse.com/security/cve/CVE-2018-8778.html
https://www.suse.com/security/cve/CVE-2018-8779.html
https://www.suse.com/security/cve/CVE-2018-8780.html
https://www.suse.com/security/cve/CVE-2019-15845.html
https://www.suse.com/security/cve/CVE-2019-16201.html
https://www.suse.com/security/cve/CVE-2019-16254.html
https://www.suse.com/security/cve/CVE-2019-16255.html
https://www.suse.com/security/cve/CVE-2019-8320.html
https://www.suse.com/security/cve/CVE-2019-8321.html
https://www.suse.com/security/cve/CVE-2019-8322.html
https://www.suse.com/security/cve/CVE-2019-8323.html
https://www.suse.com/security/cve/CVE-2019-8324.html
https://www.suse.com/security/cve/CVE-2019-8325.html
https://www.suse.com/security/cve/CVE-2020-10663.html
https://bugzilla.suse.com/1043983
https://bugzilla.suse.com/1048072
https://bugzilla.suse.com/1055265
https://bugzilla.suse.com/1056286
https://bugzilla.suse.com/1056782
https://bugzilla.suse.com/1058754
https://bugzilla.suse.com/1058755
https://bugzilla.suse.com/1058757
https://bugzilla.suse.com/1062452
https://bugzilla.suse.com/1069607
https://bugzilla.suse.com/1069632
https://bugzilla.suse.com/1073002
https://bugzilla.suse.com/1078782
https://bugzilla.suse.com/1082007
https://bugzilla.suse.com/1082008
https://bugzilla.suse.com/1082009
https://bugzilla.suse.com/1082010
https://bugzilla.suse.com/1082011
https://bugzilla.suse.com/1082014
https://bugzilla.suse.com/1082058
https://bugzilla.suse.com/1087433
https://bugzilla.suse.com/1087434
https://bugzilla.suse.com/1087436
https://bugzilla.suse.com/1087437
https://bugzilla.suse.com/1087440
https://bugzilla.suse.com/1087441
https://bugzilla.suse.com/1112530
https://bugzilla.suse.com/1112532
https://bugzilla.suse.com/1130611
https://bugzilla.suse.com/1130617
https://bugzilla.suse.com/1130620
https://bugzilla.suse.com/1130622
https://bugzilla.suse.com/1130623
https://bugzilla.suse.com/1130627
https://bugzilla.suse.com/1152990
https://bugzilla.suse.com/1152992
https://bugzilla.suse.com/1152994
https://bugzilla.suse.com/1152995
https://bugzilla.suse.com/1171517
https://bugzilla.suse.com/1172275
More information about the sle-security-updates
mailing list