[ALAS2-2019-1249] Amazon Linux 2 2017.12 - ALAS2-2019-1249: important priority package update for ruby

Severity Important

Affected Packages 34

CVEs 4

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities:
CVE-2019-8325:
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.)
1692522:
CVE-2019-8325 rubygems: Escape sequence injection vulnerability in errors

CVE-2019-8324:
An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check.
1692520:
CVE-2019-8324 rubygems: Installing a malicious gem may lead to arbitrary code execution

CVE-2019-8323:
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur.
1692519:
CVE-2019-8323 rubygems: Escape sequence injection vulnerability in API response handling

CVE-2019-8322:
An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur.
1692516:
CVE-2019-8322 rubygems: Escape sequence injection vulnerability in gem owner

Package	Affected Version
pkg:rpm/amazonlinux/rubygems?arch=noarch&distro=amazonlinux-2	< 2.0.14.1-35.amzn2.0.1
pkg:rpm/amazonlinux/rubygems-devel?arch=noarch&distro=amazonlinux-2	< 2.0.14.1-35.amzn2.0.1
pkg:rpm/amazonlinux/rubygem-rdoc?arch=noarch&distro=amazonlinux-2	< 4.0.0-35.amzn2.0.1
pkg:rpm/amazonlinux/rubygem-rake?arch=noarch&distro=amazonlinux-2	< 0.9.6-35.amzn2.0.1
pkg:rpm/amazonlinux/rubygem-psych?arch=x86_64&distro=amazonlinux-2	< 2.0.0-35.amzn2.0.1
pkg:rpm/amazonlinux/rubygem-psych?arch=i686&distro=amazonlinux-2	< 2.0.0-35.amzn2.0.1
pkg:rpm/amazonlinux/rubygem-psych?arch=aarch64&distro=amazonlinux-2	< 2.0.0-35.amzn2.0.1
pkg:rpm/amazonlinux/rubygem-minitest?arch=noarch&distro=amazonlinux-2	< 4.3.2-35.amzn2.0.1
pkg:rpm/amazonlinux/rubygem-json?arch=x86_64&distro=amazonlinux-2	< 1.7.7-35.amzn2.0.1
pkg:rpm/amazonlinux/rubygem-json?arch=i686&distro=amazonlinux-2	< 1.7.7-35.amzn2.0.1
pkg:rpm/amazonlinux/rubygem-json?arch=aarch64&distro=amazonlinux-2	< 1.7.7-35.amzn2.0.1
pkg:rpm/amazonlinux/rubygem-io-console?arch=x86_64&distro=amazonlinux-2	< 0.4.2-35.amzn2.0.1
pkg:rpm/amazonlinux/rubygem-io-console?arch=i686&distro=amazonlinux-2	< 0.4.2-35.amzn2.0.1
pkg:rpm/amazonlinux/rubygem-io-console?arch=aarch64&distro=amazonlinux-2	< 0.4.2-35.amzn2.0.1
pkg:rpm/amazonlinux/rubygem-bigdecimal?arch=x86_64&distro=amazonlinux-2	< 1.2.0-35.amzn2.0.1
pkg:rpm/amazonlinux/rubygem-bigdecimal?arch=i686&distro=amazonlinux-2	< 1.2.0-35.amzn2.0.1
pkg:rpm/amazonlinux/rubygem-bigdecimal?arch=aarch64&distro=amazonlinux-2	< 1.2.0-35.amzn2.0.1
pkg:rpm/amazonlinux/ruby?arch=x86_64&distro=amazonlinux-2	< 2.0.0.648-35.amzn2.0.1
pkg:rpm/amazonlinux/ruby?arch=i686&distro=amazonlinux-2	< 2.0.0.648-35.amzn2.0.1
pkg:rpm/amazonlinux/ruby?arch=aarch64&distro=amazonlinux-2	< 2.0.0.648-35.amzn2.0.1
pkg:rpm/amazonlinux/ruby-tcltk?arch=x86_64&distro=amazonlinux-2	< 2.0.0.648-35.amzn2.0.1
pkg:rpm/amazonlinux/ruby-tcltk?arch=i686&distro=amazonlinux-2	< 2.0.0.648-35.amzn2.0.1
pkg:rpm/amazonlinux/ruby-tcltk?arch=aarch64&distro=amazonlinux-2	< 2.0.0.648-35.amzn2.0.1
pkg:rpm/amazonlinux/ruby-libs?arch=x86_64&distro=amazonlinux-2	< 2.0.0.648-35.amzn2.0.1
pkg:rpm/amazonlinux/ruby-libs?arch=i686&distro=amazonlinux-2	< 2.0.0.648-35.amzn2.0.1
pkg:rpm/amazonlinux/ruby-libs?arch=aarch64&distro=amazonlinux-2	< 2.0.0.648-35.amzn2.0.1
pkg:rpm/amazonlinux/ruby-irb?arch=noarch&distro=amazonlinux-2	< 2.0.0.648-35.amzn2.0.1
pkg:rpm/amazonlinux/ruby-doc?arch=noarch&distro=amazonlinux-2	< 2.0.0.648-35.amzn2.0.1
pkg:rpm/amazonlinux/ruby-devel?arch=x86_64&distro=amazonlinux-2	< 2.0.0.648-35.amzn2.0.1
pkg:rpm/amazonlinux/ruby-devel?arch=i686&distro=amazonlinux-2	< 2.0.0.648-35.amzn2.0.1
pkg:rpm/amazonlinux/ruby-devel?arch=aarch64&distro=amazonlinux-2	< 2.0.0.648-35.amzn2.0.1
pkg:rpm/amazonlinux/ruby-debuginfo?arch=x86_64&distro=amazonlinux-2	< 2.0.0.648-35.amzn2.0.1
pkg:rpm/amazonlinux/ruby-debuginfo?arch=i686&distro=amazonlinux-2	< 2.0.0.648-35.amzn2.0.1
pkg:rpm/amazonlinux/ruby-debuginfo?arch=aarch64&distro=amazonlinux-2	< 2.0.0.648-35.amzn2.0.1

ID

ALAS2-2019-1249

Severity

important

URL

https://alas.aws.amazon.com/AL2/ALAS-2019-1249.html

Published

2019-07-18T18:14:00
(5 years ago)

Modified

2019-07-22T16:49:00
(5 years ago)

Rights

Amazon Linux Security Team

Other Advisories

Source	# ID	URL
CVE	CVE-2019-8322	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8322
CVE	CVE-2019-8323	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8323
CVE	CVE-2019-8324	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8324
CVE	CVE-2019-8325	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8325

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch
Affected	pkg:rpm/amazonlinux/rubygems?arch=noarch&distro=amazonlinux-2	amazonlinux	rubygems	< 2.0.14.1-35.amzn2.0.1	amazonlinux-2	noarch
Affected	pkg:rpm/amazonlinux/rubygems-devel?arch=noarch&distro=amazonlinux-2	amazonlinux	rubygems-devel	< 2.0.14.1-35.amzn2.0.1	amazonlinux-2	noarch
Affected	pkg:rpm/amazonlinux/rubygem-rdoc?arch=noarch&distro=amazonlinux-2	amazonlinux	rubygem-rdoc	< 4.0.0-35.amzn2.0.1	amazonlinux-2	noarch
Affected	pkg:rpm/amazonlinux/rubygem-rake?arch=noarch&distro=amazonlinux-2	amazonlinux	rubygem-rake	< 0.9.6-35.amzn2.0.1	amazonlinux-2	noarch
Affected	pkg:rpm/amazonlinux/rubygem-psych?arch=x86_64&distro=amazonlinux-2	amazonlinux	rubygem-psych	< 2.0.0-35.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/rubygem-psych?arch=i686&distro=amazonlinux-2	amazonlinux	rubygem-psych	< 2.0.0-35.amzn2.0.1	amazonlinux-2	i686
Affected	pkg:rpm/amazonlinux/rubygem-psych?arch=aarch64&distro=amazonlinux-2	amazonlinux	rubygem-psych	< 2.0.0-35.amzn2.0.1	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/rubygem-minitest?arch=noarch&distro=amazonlinux-2	amazonlinux	rubygem-minitest	< 4.3.2-35.amzn2.0.1	amazonlinux-2	noarch
Affected	pkg:rpm/amazonlinux/rubygem-json?arch=x86_64&distro=amazonlinux-2	amazonlinux	rubygem-json	< 1.7.7-35.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/rubygem-json?arch=i686&distro=amazonlinux-2	amazonlinux	rubygem-json	< 1.7.7-35.amzn2.0.1	amazonlinux-2	i686
Affected	pkg:rpm/amazonlinux/rubygem-json?arch=aarch64&distro=amazonlinux-2	amazonlinux	rubygem-json	< 1.7.7-35.amzn2.0.1	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/rubygem-io-console?arch=x86_64&distro=amazonlinux-2	amazonlinux	rubygem-io-console	< 0.4.2-35.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/rubygem-io-console?arch=i686&distro=amazonlinux-2	amazonlinux	rubygem-io-console	< 0.4.2-35.amzn2.0.1	amazonlinux-2	i686
Affected	pkg:rpm/amazonlinux/rubygem-io-console?arch=aarch64&distro=amazonlinux-2	amazonlinux	rubygem-io-console	< 0.4.2-35.amzn2.0.1	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/rubygem-bigdecimal?arch=x86_64&distro=amazonlinux-2	amazonlinux	rubygem-bigdecimal	< 1.2.0-35.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/rubygem-bigdecimal?arch=i686&distro=amazonlinux-2	amazonlinux	rubygem-bigdecimal	< 1.2.0-35.amzn2.0.1	amazonlinux-2	i686
Affected	pkg:rpm/amazonlinux/rubygem-bigdecimal?arch=aarch64&distro=amazonlinux-2	amazonlinux	rubygem-bigdecimal	< 1.2.0-35.amzn2.0.1	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/ruby?arch=x86_64&distro=amazonlinux-2	amazonlinux	ruby	< 2.0.0.648-35.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/ruby?arch=i686&distro=amazonlinux-2	amazonlinux	ruby	< 2.0.0.648-35.amzn2.0.1	amazonlinux-2	i686
Affected	pkg:rpm/amazonlinux/ruby?arch=aarch64&distro=amazonlinux-2	amazonlinux	ruby	< 2.0.0.648-35.amzn2.0.1	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/ruby-tcltk?arch=x86_64&distro=amazonlinux-2	amazonlinux	ruby-tcltk	< 2.0.0.648-35.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/ruby-tcltk?arch=i686&distro=amazonlinux-2	amazonlinux	ruby-tcltk	< 2.0.0.648-35.amzn2.0.1	amazonlinux-2	i686
Affected	pkg:rpm/amazonlinux/ruby-tcltk?arch=aarch64&distro=amazonlinux-2	amazonlinux	ruby-tcltk	< 2.0.0.648-35.amzn2.0.1	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/ruby-libs?arch=x86_64&distro=amazonlinux-2	amazonlinux	ruby-libs	< 2.0.0.648-35.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/ruby-libs?arch=i686&distro=amazonlinux-2	amazonlinux	ruby-libs	< 2.0.0.648-35.amzn2.0.1	amazonlinux-2	i686
Affected	pkg:rpm/amazonlinux/ruby-libs?arch=aarch64&distro=amazonlinux-2	amazonlinux	ruby-libs	< 2.0.0.648-35.amzn2.0.1	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/ruby-irb?arch=noarch&distro=amazonlinux-2	amazonlinux	ruby-irb	< 2.0.0.648-35.amzn2.0.1	amazonlinux-2	noarch
Affected	pkg:rpm/amazonlinux/ruby-doc?arch=noarch&distro=amazonlinux-2	amazonlinux	ruby-doc	< 2.0.0.648-35.amzn2.0.1	amazonlinux-2	noarch
Affected	pkg:rpm/amazonlinux/ruby-devel?arch=x86_64&distro=amazonlinux-2	amazonlinux	ruby-devel	< 2.0.0.648-35.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/ruby-devel?arch=i686&distro=amazonlinux-2	amazonlinux	ruby-devel	< 2.0.0.648-35.amzn2.0.1	amazonlinux-2	i686
Affected	pkg:rpm/amazonlinux/ruby-devel?arch=aarch64&distro=amazonlinux-2	amazonlinux	ruby-devel	< 2.0.0.648-35.amzn2.0.1	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/ruby-debuginfo?arch=x86_64&distro=amazonlinux-2	amazonlinux	ruby-debuginfo	< 2.0.0.648-35.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/ruby-debuginfo?arch=i686&distro=amazonlinux-2	amazonlinux	ruby-debuginfo	< 2.0.0.648-35.amzn2.0.1	amazonlinux-2	i686
Affected	pkg:rpm/amazonlinux/ruby-debuginfo?arch=aarch64&distro=amazonlinux-2	amazonlinux	ruby-debuginfo	< 2.0.0.648-35.amzn2.0.1	amazonlinux-2	aarch64

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date