SUSE-SU-2020:1570-1: important: Security update for ruby2.1

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Tue Jun 9 07:20:02 MDT 2020


   SUSE Security Update: Security update for ruby2.1
______________________________________________________________________________

Announcement ID:    SUSE-SU-2020:1570-1
Rating:             important
References:         #1043983 #1048072 #1055265 #1056286 #1056782 
                    #1058754 #1058755 #1058757 #1062452 #1069607 
                    #1069632 #1073002 #1078782 #1082007 #1082008 
                    #1082009 #1082010 #1082011 #1082014 #1082058 
                    #1087433 #1087434 #1087436 #1087437 #1087440 
                    #1087441 #1112530 #1112532 #1130611 #1130617 
                    #1130620 #1130622 #1130623 #1130627 #1152990 
                    #1152992 #1152994 #1152995 #1171517 #1172275 
                    
Cross-References:   CVE-2015-9096 CVE-2016-2339 CVE-2016-7798
                    CVE-2017-0898 CVE-2017-0899 CVE-2017-0900
                    CVE-2017-0901 CVE-2017-0902 CVE-2017-0903
                    CVE-2017-10784 CVE-2017-14033 CVE-2017-14064
                    CVE-2017-17405 CVE-2017-17742 CVE-2017-17790
                    CVE-2017-9228 CVE-2017-9229 CVE-2018-1000073
                    CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076
                    CVE-2018-1000077 CVE-2018-1000078 CVE-2018-1000079
                    CVE-2018-16395 CVE-2018-16396 CVE-2018-6914
                    CVE-2018-8777 CVE-2018-8778 CVE-2018-8779
                    CVE-2018-8780 CVE-2019-15845 CVE-2019-16201
                    CVE-2019-16254 CVE-2019-16255 CVE-2019-8320
                    CVE-2019-8321 CVE-2019-8322 CVE-2019-8323
                    CVE-2019-8324 CVE-2019-8325 CVE-2020-10663
                   
Affected Products:
                    SUSE OpenStack Cloud Crowbar 8
                    SUSE OpenStack Cloud 8
                    SUSE OpenStack Cloud 7
                    SUSE Linux Enterprise Software Development Kit 12-SP5
                    SUSE Linux Enterprise Software Development Kit 12-SP4
                    SUSE Linux Enterprise Server for SAP 12-SP3
                    SUSE Linux Enterprise Server for SAP 12-SP2
                    SUSE Linux Enterprise Server 12-SP5
                    SUSE Linux Enterprise Server 12-SP4
                    SUSE Linux Enterprise Server 12-SP3-LTSS
                    SUSE Linux Enterprise Server 12-SP3-BCL
                    SUSE Linux Enterprise Server 12-SP2-LTSS
                    SUSE Linux Enterprise Server 12-SP2-BCL
                    SUSE Enterprise Storage 5
                    HPE Helion Openstack 8
______________________________________________________________________________

   An update that fixes 42 vulnerabilities is now available.

Description:

   This update for ruby2.1 fixes the following issues:

   Security issues fixed:

   - CVE-2015-9096: Fixed an SMTP command injection via CRLFsequences in a
     RCPT TO or MAIL FROM command (bsc#1043983).
   - CVE-2016-7798: Fixed an IV Reuse in GCM Mode (bsc#1055265).
   - CVE-2017-0898: Fixed a buffer underrun vulnerability in Kernel.sprintf
     (bsc#1058755).
   - CVE-2017-0899: Fixed an issue with malicious gem specifications,
     insufficient sanitation when printing gem specifications could have
     included terminal characters (bsc#1056286).
   - CVE-2017-0900: Fixed an issue with malicious gem specifications, the
     query command could have led to a denial of service attack against
     clients (bsc#1056286).
   - CVE-2017-0901: Fixed an issue with malicious gem specifications,
     potentially overwriting arbitrary files on the client system
     (bsc#1056286).
   - CVE-2017-0902: Fixed an issue with malicious gem specifications, that
     could have enabled MITM attacks against clients (bsc#1056286).
   - CVE-2017-0903: Fixed an unsafe object deserialization vulnerability
     (bsc#1062452).
   - CVE-2017-9228: Fixed a heap out-of-bounds write in bitset_set_range()
     during regex compilation (bsc#1069607).
   - CVE-2017-9229: Fixed an invalid pointer dereference in
     left_adjust_char_head() in oniguruma (bsc#1069632).
   - CVE-2017-10784: Fixed an escape sequence injection vulnerability in the
     Basic authentication of WEBrick (bsc#1058754).
   - CVE-2017-14033: Fixed a buffer underrun vulnerability in OpenSSL ASN1
     decode (bsc#1058757).
   - CVE-2017-14064: Fixed an arbitrary memory exposure during a
     JSON.generate call (bsc#1056782).
   - CVE-2017-17405: Fixed a command injection vulnerability in Net::FTP
     (bsc#1073002).
   - CVE-2017-17742: Fixed an HTTP response splitting issue in WEBrick
     (bsc#1087434).
   - CVE-2017-17790: Fixed a command injection in
     lib/resolv.rb:lazy_initialize() (bsc#1078782).
   - CVE-2018-6914: Fixed an unintentional file and directory creation with
     directory traversal in tempfile and tmpdir (bsc#1087441).
   - CVE-2018-8777: Fixed a potential DoS caused by large requests in WEBrick
     (bsc#1087436).
   - CVE-2018-8778: Fixed a buffer under-read in String#unpack (bsc#1087433).
   - CVE-2018-8779: Fixed an unintentional socket creation by poisoned NUL
     byte in UNIXServer and UNIXSocket (bsc#1087440).
   - CVE-2018-8780: Fixed an unintentional directory traversal by poisoned
     NUL byte in Dir (bsc#1087437).
   - CVE-2018-16395: Fixed an issue with OpenSSL::X509::Name equality
     checking (bsc#1112530).
   - CVE-2018-16396: Fixed an issue with tainted string handling, where the
     flag was not propagated in Array#pack and String#unpack with some
     directives (bsc#1112532).
   - CVE-2018-1000073: Fixed a path traversal issue (bsc#1082007).
   - CVE-2018-1000074: Fixed an unsafe object deserialization vulnerability
     in gem owner, allowing arbitrary code execution with specially crafted
     YAML (bsc#1082008).
   - CVE-2018-1000075: Fixed an infinite loop vulnerability due to negative
     size in tar header causes Denial of Service (bsc#1082014).
   - CVE-2018-1000076: Fixed an improper verification of signatures in
     tarballs (bsc#1082009).
   - CVE-2018-1000077: Fixed an improper URL validation in the homepage
     attribute of ruby gems (bsc#1082010).
   - CVE-2018-1000078: Fixed a XSS vulnerability in the homepage attribute
     when displayed via gem server (bsc#1082011).
   - CVE-2018-1000079: Fixed a path traversal issue during gem installation
     allows to write to arbitrary filesystem locations (bsc#1082058).
   - CVE-2019-8320: Fixed a directory traversal issue when decompressing tar
     files (bsc#1130627).
   - CVE-2019-8321: Fixed an escape sequence injection vulnerability in
     verbose (bsc#1130623).
   - CVE-2019-8322: Fixed an escape sequence injection vulnerability in gem
     owner (bsc#1130622).
   - CVE-2019-8323: Fixed an escape sequence injection vulnerability in API
     response handling (bsc#1130620).
   - CVE-2019-8324: Fixed an issue with malicious gems that may have led to
     arbitrary code execution (bsc#1130617).
   - CVE-2019-8325: Fixed an escape sequence injection vulnerability in
     errors (bsc#1130611).
   - CVE-2019-15845: Fixed a NUL injection vulnerability in File.fnmatch and
     File.fnmatch? (bsc#1152994).
   - CVE-2019-16201: Fixed a regular expression denial of service
     vulnerability in WEBrick's digest access authentication (bsc#1152995).
   - CVE-2019-16254: Fixed an HTTP response splitting vulnerability in
     WEBrick (bsc#1152992).
   - CVE-2019-16255: Fixed a code injection vulnerability in Shell#[] and
     Shell#test (bsc#1152990).
   - CVE-2020-10663: Fixed an unsafe object creation vulnerability in JSON
     (bsc#1171517).

   Non-security issue fixed:

   - Add conflicts to libruby to make sure ruby and ruby-stdlib are also
     updated when libruby is updated (bsc#1048072).

   Also yast2-ruby-bindings on SLES 12 SP2 LTSS was updated to handle the
   updated ruby interpreter. (bsc#1172275)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud Crowbar 8:

      zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1570=1

   - SUSE OpenStack Cloud 8:

      zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1570=1

   - SUSE OpenStack Cloud 7:

      zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1570=1

   - SUSE Linux Enterprise Software Development Kit 12-SP5:

      zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1570=1

   - SUSE Linux Enterprise Software Development Kit 12-SP4:

      zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1570=1

   - SUSE Linux Enterprise Server for SAP 12-SP3:

      zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1570=1

   - SUSE Linux Enterprise Server for SAP 12-SP2:

      zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1570=1

   - SUSE Linux Enterprise Server 12-SP5:

      zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1570=1

   - SUSE Linux Enterprise Server 12-SP4:

      zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1570=1

   - SUSE Linux Enterprise Server 12-SP3-LTSS:

      zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1570=1

   - SUSE Linux Enterprise Server 12-SP3-BCL:

      zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1570=1

   - SUSE Linux Enterprise Server 12-SP2-LTSS:

      zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1570=1

   - SUSE Linux Enterprise Server 12-SP2-BCL:

      zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1570=1

   - SUSE Enterprise Storage 5:

      zypper in -t patch SUSE-Storage-5-2020-1570=1

   - HPE Helion Openstack 8:

      zypper in -t patch HPE-Helion-OpenStack-8-2020-1570=1



Package List:

   - SUSE OpenStack Cloud Crowbar 8 (x86_64):

      libruby2_1-2_1-2.1.9-19.3.2
      libruby2_1-2_1-debuginfo-2.1.9-19.3.2
      ruby2.1-2.1.9-19.3.2
      ruby2.1-debuginfo-2.1.9-19.3.2
      ruby2.1-debugsource-2.1.9-19.3.2
      ruby2.1-stdlib-2.1.9-19.3.2
      ruby2.1-stdlib-debuginfo-2.1.9-19.3.2

   - SUSE OpenStack Cloud 8 (x86_64):

      libruby2_1-2_1-2.1.9-19.3.2
      libruby2_1-2_1-debuginfo-2.1.9-19.3.2
      ruby2.1-2.1.9-19.3.2
      ruby2.1-debuginfo-2.1.9-19.3.2
      ruby2.1-debugsource-2.1.9-19.3.2
      ruby2.1-stdlib-2.1.9-19.3.2
      ruby2.1-stdlib-debuginfo-2.1.9-19.3.2

   - SUSE OpenStack Cloud 7 (s390x x86_64):

      libruby2_1-2_1-2.1.9-19.3.2
      libruby2_1-2_1-debuginfo-2.1.9-19.3.2
      ruby2.1-2.1.9-19.3.2
      ruby2.1-debuginfo-2.1.9-19.3.2
      ruby2.1-debugsource-2.1.9-19.3.2
      ruby2.1-stdlib-2.1.9-19.3.2
      ruby2.1-stdlib-debuginfo-2.1.9-19.3.2
      yast2-ruby-bindings-3.1.53-9.8.1
      yast2-ruby-bindings-debuginfo-3.1.53-9.8.1
      yast2-ruby-bindings-debugsource-3.1.53-9.8.1

   - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64):

      ruby2.1-debuginfo-2.1.9-19.3.2
      ruby2.1-debugsource-2.1.9-19.3.2
      ruby2.1-devel-2.1.9-19.3.2

   - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64):

      ruby2.1-debuginfo-2.1.9-19.3.2
      ruby2.1-debugsource-2.1.9-19.3.2
      ruby2.1-devel-2.1.9-19.3.2

   - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64):

      libruby2_1-2_1-2.1.9-19.3.2
      libruby2_1-2_1-debuginfo-2.1.9-19.3.2
      ruby2.1-2.1.9-19.3.2
      ruby2.1-debuginfo-2.1.9-19.3.2
      ruby2.1-debugsource-2.1.9-19.3.2
      ruby2.1-stdlib-2.1.9-19.3.2
      ruby2.1-stdlib-debuginfo-2.1.9-19.3.2

   - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64):

      libruby2_1-2_1-2.1.9-19.3.2
      libruby2_1-2_1-debuginfo-2.1.9-19.3.2
      ruby2.1-2.1.9-19.3.2
      ruby2.1-debuginfo-2.1.9-19.3.2
      ruby2.1-debugsource-2.1.9-19.3.2
      ruby2.1-stdlib-2.1.9-19.3.2
      ruby2.1-stdlib-debuginfo-2.1.9-19.3.2
      yast2-ruby-bindings-3.1.53-9.8.1
      yast2-ruby-bindings-debuginfo-3.1.53-9.8.1
      yast2-ruby-bindings-debugsource-3.1.53-9.8.1

   - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64):

      libruby2_1-2_1-2.1.9-19.3.2
      libruby2_1-2_1-debuginfo-2.1.9-19.3.2
      ruby2.1-2.1.9-19.3.2
      ruby2.1-debuginfo-2.1.9-19.3.2
      ruby2.1-debugsource-2.1.9-19.3.2
      ruby2.1-stdlib-2.1.9-19.3.2
      ruby2.1-stdlib-debuginfo-2.1.9-19.3.2

   - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64):

      libruby2_1-2_1-2.1.9-19.3.2
      libruby2_1-2_1-debuginfo-2.1.9-19.3.2
      ruby2.1-2.1.9-19.3.2
      ruby2.1-debuginfo-2.1.9-19.3.2
      ruby2.1-debugsource-2.1.9-19.3.2
      ruby2.1-stdlib-2.1.9-19.3.2
      ruby2.1-stdlib-debuginfo-2.1.9-19.3.2

   - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64):

      libruby2_1-2_1-2.1.9-19.3.2
      libruby2_1-2_1-debuginfo-2.1.9-19.3.2
      ruby2.1-2.1.9-19.3.2
      ruby2.1-debuginfo-2.1.9-19.3.2
      ruby2.1-debugsource-2.1.9-19.3.2
      ruby2.1-stdlib-2.1.9-19.3.2
      ruby2.1-stdlib-debuginfo-2.1.9-19.3.2

   - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64):

      libruby2_1-2_1-2.1.9-19.3.2
      libruby2_1-2_1-debuginfo-2.1.9-19.3.2
      ruby2.1-2.1.9-19.3.2
      ruby2.1-debuginfo-2.1.9-19.3.2
      ruby2.1-debugsource-2.1.9-19.3.2
      ruby2.1-stdlib-2.1.9-19.3.2
      ruby2.1-stdlib-debuginfo-2.1.9-19.3.2

   - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64):

      libruby2_1-2_1-2.1.9-19.3.2
      libruby2_1-2_1-debuginfo-2.1.9-19.3.2
      ruby2.1-2.1.9-19.3.2
      ruby2.1-debuginfo-2.1.9-19.3.2
      ruby2.1-debugsource-2.1.9-19.3.2
      ruby2.1-stdlib-2.1.9-19.3.2
      ruby2.1-stdlib-debuginfo-2.1.9-19.3.2
      yast2-ruby-bindings-3.1.53-9.8.1
      yast2-ruby-bindings-debuginfo-3.1.53-9.8.1
      yast2-ruby-bindings-debugsource-3.1.53-9.8.1

   - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64):

      libruby2_1-2_1-2.1.9-19.3.2
      libruby2_1-2_1-debuginfo-2.1.9-19.3.2
      ruby2.1-2.1.9-19.3.2
      ruby2.1-debuginfo-2.1.9-19.3.2
      ruby2.1-debugsource-2.1.9-19.3.2
      ruby2.1-stdlib-2.1.9-19.3.2
      ruby2.1-stdlib-debuginfo-2.1.9-19.3.2
      yast2-ruby-bindings-3.1.53-9.8.1
      yast2-ruby-bindings-debuginfo-3.1.53-9.8.1
      yast2-ruby-bindings-debugsource-3.1.53-9.8.1

   - SUSE Enterprise Storage 5 (aarch64 x86_64):

      libruby2_1-2_1-2.1.9-19.3.2
      libruby2_1-2_1-debuginfo-2.1.9-19.3.2
      ruby2.1-2.1.9-19.3.2
      ruby2.1-debuginfo-2.1.9-19.3.2
      ruby2.1-debugsource-2.1.9-19.3.2
      ruby2.1-stdlib-2.1.9-19.3.2
      ruby2.1-stdlib-debuginfo-2.1.9-19.3.2

   - HPE Helion Openstack 8 (x86_64):

      libruby2_1-2_1-2.1.9-19.3.2
      libruby2_1-2_1-debuginfo-2.1.9-19.3.2
      ruby2.1-2.1.9-19.3.2
      ruby2.1-debuginfo-2.1.9-19.3.2
      ruby2.1-debugsource-2.1.9-19.3.2
      ruby2.1-stdlib-2.1.9-19.3.2
      ruby2.1-stdlib-debuginfo-2.1.9-19.3.2


References:

   https://www.suse.com/security/cve/CVE-2015-9096.html
   https://www.suse.com/security/cve/CVE-2016-2339.html
   https://www.suse.com/security/cve/CVE-2016-7798.html
   https://www.suse.com/security/cve/CVE-2017-0898.html
   https://www.suse.com/security/cve/CVE-2017-0899.html
   https://www.suse.com/security/cve/CVE-2017-0900.html
   https://www.suse.com/security/cve/CVE-2017-0901.html
   https://www.suse.com/security/cve/CVE-2017-0902.html
   https://www.suse.com/security/cve/CVE-2017-0903.html
   https://www.suse.com/security/cve/CVE-2017-10784.html
   https://www.suse.com/security/cve/CVE-2017-14033.html
   https://www.suse.com/security/cve/CVE-2017-14064.html
   https://www.suse.com/security/cve/CVE-2017-17405.html
   https://www.suse.com/security/cve/CVE-2017-17742.html
   https://www.suse.com/security/cve/CVE-2017-17790.html
   https://www.suse.com/security/cve/CVE-2017-9228.html
   https://www.suse.com/security/cve/CVE-2017-9229.html
   https://www.suse.com/security/cve/CVE-2018-1000073.html
   https://www.suse.com/security/cve/CVE-2018-1000074.html
   https://www.suse.com/security/cve/CVE-2018-1000075.html
   https://www.suse.com/security/cve/CVE-2018-1000076.html
   https://www.suse.com/security/cve/CVE-2018-1000077.html
   https://www.suse.com/security/cve/CVE-2018-1000078.html
   https://www.suse.com/security/cve/CVE-2018-1000079.html
   https://www.suse.com/security/cve/CVE-2018-16395.html
   https://www.suse.com/security/cve/CVE-2018-16396.html
   https://www.suse.com/security/cve/CVE-2018-6914.html
   https://www.suse.com/security/cve/CVE-2018-8777.html
   https://www.suse.com/security/cve/CVE-2018-8778.html
   https://www.suse.com/security/cve/CVE-2018-8779.html
   https://www.suse.com/security/cve/CVE-2018-8780.html
   https://www.suse.com/security/cve/CVE-2019-15845.html
   https://www.suse.com/security/cve/CVE-2019-16201.html
   https://www.suse.com/security/cve/CVE-2019-16254.html
   https://www.suse.com/security/cve/CVE-2019-16255.html
   https://www.suse.com/security/cve/CVE-2019-8320.html
   https://www.suse.com/security/cve/CVE-2019-8321.html
   https://www.suse.com/security/cve/CVE-2019-8322.html
   https://www.suse.com/security/cve/CVE-2019-8323.html
   https://www.suse.com/security/cve/CVE-2019-8324.html
   https://www.suse.com/security/cve/CVE-2019-8325.html
   https://www.suse.com/security/cve/CVE-2020-10663.html
   https://bugzilla.suse.com/1043983
   https://bugzilla.suse.com/1048072
   https://bugzilla.suse.com/1055265
   https://bugzilla.suse.com/1056286
   https://bugzilla.suse.com/1056782
   https://bugzilla.suse.com/1058754
   https://bugzilla.suse.com/1058755
   https://bugzilla.suse.com/1058757
   https://bugzilla.suse.com/1062452
   https://bugzilla.suse.com/1069607
   https://bugzilla.suse.com/1069632
   https://bugzilla.suse.com/1073002
   https://bugzilla.suse.com/1078782
   https://bugzilla.suse.com/1082007
   https://bugzilla.suse.com/1082008
   https://bugzilla.suse.com/1082009
   https://bugzilla.suse.com/1082010
   https://bugzilla.suse.com/1082011
   https://bugzilla.suse.com/1082014
   https://bugzilla.suse.com/1082058
   https://bugzilla.suse.com/1087433
   https://bugzilla.suse.com/1087434
   https://bugzilla.suse.com/1087436
   https://bugzilla.suse.com/1087437
   https://bugzilla.suse.com/1087440
   https://bugzilla.suse.com/1087441
   https://bugzilla.suse.com/1112530
   https://bugzilla.suse.com/1112532
   https://bugzilla.suse.com/1130611
   https://bugzilla.suse.com/1130617
   https://bugzilla.suse.com/1130620
   https://bugzilla.suse.com/1130622
   https://bugzilla.suse.com/1130623
   https://bugzilla.suse.com/1130627
   https://bugzilla.suse.com/1152990
   https://bugzilla.suse.com/1152992
   https://bugzilla.suse.com/1152994
   https://bugzilla.suse.com/1152995
   https://bugzilla.suse.com/1171517
   https://bugzilla.suse.com/1172275



More information about the sle-security-updates mailing list