[ALAS2-2019-1249] Amazon Linux 2 2017.12 - ALAS2-2019-1249: important priority package update for ruby
Package updates are available for Amazon Linux 2 that fix the following vulnerabilities:
CVE-2019-8325:
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.)
1692522:
CVE-2019-8325 rubygems: Escape sequence injection vulnerability in errors
CVE-2019-8324:
An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check.
1692520:
CVE-2019-8324 rubygems: Installing a malicious gem may lead to arbitrary code execution
CVE-2019-8323:
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur.
1692519:
CVE-2019-8323 rubygems: Escape sequence injection vulnerability in API response handling
CVE-2019-8322:
An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur.
1692516:
CVE-2019-8322 rubygems: Escape sequence injection vulnerability in gem owner
- ID
- ALAS2-2019-1249
- Severity
- important
- URL
- https://alas.aws.amazon.com/AL2/ALAS-2019-1249.html
- Published
-
2019-07-18T18:14:00
(5 years ago) - Modified
-
2019-07-22T16:49:00
(5 years ago) - Rights
- Amazon Linux Security Team
- Other Advisories
-
- ALAS-2019-1255
- ALBA-2019:3384
- ALPINE:CVE-2019-8322
- ALPINE:CVE-2019-8323
- ALPINE:CVE-2019-8324
- ALPINE:CVE-2019-8325
- ALSA-2019:1972
- DSA-4433-1
- ELSA-2019-1235
- ELSA-2019-1972
- FEDORA-2019-a155364f3c
- FEDORA-2019-feac6674b7
- FREEBSD:27B12D04-4722-11E9-8B7C-B5E01141761F
- openSUSE-SU-2019:1771-1
- RHBA-2019:3384
- RHSA-2019:1235
- RHSA-2019:1972
- RLBA-2019:3384
- RLSA-2019:1972
- RUBYSEC:RUBYGEMS-UPDATE-2019-8322
- RUBYSEC:RUBYGEMS-UPDATE-2019-8323
- RUBYSEC:RUBYGEMS-UPDATE-2019-8324
- RUBYSEC:RUBYGEMS-UPDATE-2019-8325
- SUSE-SU-2019:1804-1
- SUSE-SU-2020:1570-1
- USN-3945-1
Source | # ID | Name | URL |
---|---|---|---|
CVE | CVE-2019-8322 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8322 | |
CVE | CVE-2019-8323 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8323 | |
CVE | CVE-2019-8324 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8324 | |
CVE | CVE-2019-8325 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8325 |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:rpm/amazonlinux/rubygems?arch=noarch&distro=amazonlinux-2 | amazonlinux | rubygems | < 2.0.14.1-35.amzn2.0.1 | amazonlinux-2 | noarch | |
Affected | pkg:rpm/amazonlinux/rubygems-devel?arch=noarch&distro=amazonlinux-2 | amazonlinux | rubygems-devel | < 2.0.14.1-35.amzn2.0.1 | amazonlinux-2 | noarch | |
Affected | pkg:rpm/amazonlinux/rubygem-rdoc?arch=noarch&distro=amazonlinux-2 | amazonlinux | rubygem-rdoc | < 4.0.0-35.amzn2.0.1 | amazonlinux-2 | noarch | |
Affected | pkg:rpm/amazonlinux/rubygem-rake?arch=noarch&distro=amazonlinux-2 | amazonlinux | rubygem-rake | < 0.9.6-35.amzn2.0.1 | amazonlinux-2 | noarch | |
Affected | pkg:rpm/amazonlinux/rubygem-psych?arch=x86_64&distro=amazonlinux-2 | amazonlinux | rubygem-psych | < 2.0.0-35.amzn2.0.1 | amazonlinux-2 | x86_64 | |
Affected | pkg:rpm/amazonlinux/rubygem-psych?arch=i686&distro=amazonlinux-2 | amazonlinux | rubygem-psych | < 2.0.0-35.amzn2.0.1 | amazonlinux-2 | i686 | |
Affected | pkg:rpm/amazonlinux/rubygem-psych?arch=aarch64&distro=amazonlinux-2 | amazonlinux | rubygem-psych | < 2.0.0-35.amzn2.0.1 | amazonlinux-2 | aarch64 | |
Affected | pkg:rpm/amazonlinux/rubygem-minitest?arch=noarch&distro=amazonlinux-2 | amazonlinux | rubygem-minitest | < 4.3.2-35.amzn2.0.1 | amazonlinux-2 | noarch | |
Affected | pkg:rpm/amazonlinux/rubygem-json?arch=x86_64&distro=amazonlinux-2 | amazonlinux | rubygem-json | < 1.7.7-35.amzn2.0.1 | amazonlinux-2 | x86_64 | |
Affected | pkg:rpm/amazonlinux/rubygem-json?arch=i686&distro=amazonlinux-2 | amazonlinux | rubygem-json | < 1.7.7-35.amzn2.0.1 | amazonlinux-2 | i686 | |
Affected | pkg:rpm/amazonlinux/rubygem-json?arch=aarch64&distro=amazonlinux-2 | amazonlinux | rubygem-json | < 1.7.7-35.amzn2.0.1 | amazonlinux-2 | aarch64 | |
Affected | pkg:rpm/amazonlinux/rubygem-io-console?arch=x86_64&distro=amazonlinux-2 | amazonlinux | rubygem-io-console | < 0.4.2-35.amzn2.0.1 | amazonlinux-2 | x86_64 | |
Affected | pkg:rpm/amazonlinux/rubygem-io-console?arch=i686&distro=amazonlinux-2 | amazonlinux | rubygem-io-console | < 0.4.2-35.amzn2.0.1 | amazonlinux-2 | i686 | |
Affected | pkg:rpm/amazonlinux/rubygem-io-console?arch=aarch64&distro=amazonlinux-2 | amazonlinux | rubygem-io-console | < 0.4.2-35.amzn2.0.1 | amazonlinux-2 | aarch64 | |
Affected | pkg:rpm/amazonlinux/rubygem-bigdecimal?arch=x86_64&distro=amazonlinux-2 | amazonlinux | rubygem-bigdecimal | < 1.2.0-35.amzn2.0.1 | amazonlinux-2 | x86_64 | |
Affected | pkg:rpm/amazonlinux/rubygem-bigdecimal?arch=i686&distro=amazonlinux-2 | amazonlinux | rubygem-bigdecimal | < 1.2.0-35.amzn2.0.1 | amazonlinux-2 | i686 | |
Affected | pkg:rpm/amazonlinux/rubygem-bigdecimal?arch=aarch64&distro=amazonlinux-2 | amazonlinux | rubygem-bigdecimal | < 1.2.0-35.amzn2.0.1 | amazonlinux-2 | aarch64 | |
Affected | pkg:rpm/amazonlinux/ruby?arch=x86_64&distro=amazonlinux-2 | amazonlinux | ruby | < 2.0.0.648-35.amzn2.0.1 | amazonlinux-2 | x86_64 | |
Affected | pkg:rpm/amazonlinux/ruby?arch=i686&distro=amazonlinux-2 | amazonlinux | ruby | < 2.0.0.648-35.amzn2.0.1 | amazonlinux-2 | i686 | |
Affected | pkg:rpm/amazonlinux/ruby?arch=aarch64&distro=amazonlinux-2 | amazonlinux | ruby | < 2.0.0.648-35.amzn2.0.1 | amazonlinux-2 | aarch64 | |
Affected | pkg:rpm/amazonlinux/ruby-tcltk?arch=x86_64&distro=amazonlinux-2 | amazonlinux | ruby-tcltk | < 2.0.0.648-35.amzn2.0.1 | amazonlinux-2 | x86_64 | |
Affected | pkg:rpm/amazonlinux/ruby-tcltk?arch=i686&distro=amazonlinux-2 | amazonlinux | ruby-tcltk | < 2.0.0.648-35.amzn2.0.1 | amazonlinux-2 | i686 | |
Affected | pkg:rpm/amazonlinux/ruby-tcltk?arch=aarch64&distro=amazonlinux-2 | amazonlinux | ruby-tcltk | < 2.0.0.648-35.amzn2.0.1 | amazonlinux-2 | aarch64 | |
Affected | pkg:rpm/amazonlinux/ruby-libs?arch=x86_64&distro=amazonlinux-2 | amazonlinux | ruby-libs | < 2.0.0.648-35.amzn2.0.1 | amazonlinux-2 | x86_64 | |
Affected | pkg:rpm/amazonlinux/ruby-libs?arch=i686&distro=amazonlinux-2 | amazonlinux | ruby-libs | < 2.0.0.648-35.amzn2.0.1 | amazonlinux-2 | i686 | |
Affected | pkg:rpm/amazonlinux/ruby-libs?arch=aarch64&distro=amazonlinux-2 | amazonlinux | ruby-libs | < 2.0.0.648-35.amzn2.0.1 | amazonlinux-2 | aarch64 | |
Affected | pkg:rpm/amazonlinux/ruby-irb?arch=noarch&distro=amazonlinux-2 | amazonlinux | ruby-irb | < 2.0.0.648-35.amzn2.0.1 | amazonlinux-2 | noarch | |
Affected | pkg:rpm/amazonlinux/ruby-doc?arch=noarch&distro=amazonlinux-2 | amazonlinux | ruby-doc | < 2.0.0.648-35.amzn2.0.1 | amazonlinux-2 | noarch | |
Affected | pkg:rpm/amazonlinux/ruby-devel?arch=x86_64&distro=amazonlinux-2 | amazonlinux | ruby-devel | < 2.0.0.648-35.amzn2.0.1 | amazonlinux-2 | x86_64 | |
Affected | pkg:rpm/amazonlinux/ruby-devel?arch=i686&distro=amazonlinux-2 | amazonlinux | ruby-devel | < 2.0.0.648-35.amzn2.0.1 | amazonlinux-2 | i686 | |
Affected | pkg:rpm/amazonlinux/ruby-devel?arch=aarch64&distro=amazonlinux-2 | amazonlinux | ruby-devel | < 2.0.0.648-35.amzn2.0.1 | amazonlinux-2 | aarch64 | |
Affected | pkg:rpm/amazonlinux/ruby-debuginfo?arch=x86_64&distro=amazonlinux-2 | amazonlinux | ruby-debuginfo | < 2.0.0.648-35.amzn2.0.1 | amazonlinux-2 | x86_64 | |
Affected | pkg:rpm/amazonlinux/ruby-debuginfo?arch=i686&distro=amazonlinux-2 | amazonlinux | ruby-debuginfo | < 2.0.0.648-35.amzn2.0.1 | amazonlinux-2 | i686 | |
Affected | pkg:rpm/amazonlinux/ruby-debuginfo?arch=aarch64&distro=amazonlinux-2 | amazonlinux | ruby-debuginfo | < 2.0.0.648-35.amzn2.0.1 | amazonlinux-2 | aarch64 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |