[ALAS2-2024-2486] Amazon Linux 2 2017.12 - ALAS2-2024-2486: important priority package update for ruby
Package updates are available for Amazon Linux 2 that fix the following vulnerabilities:
CVE-2021-41819:
CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby.
CVE-2019-16255:
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.
CVE-2019-16254:
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
CVE-2019-16201:
WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.
CVE-2019-15845:
A flaw was discovered in Ruby in the way certain functions handled strings containing NULL bytes. Specifically, the built-in methods File.fnmatch and its alias File.fnmatch? did not properly handle path patterns containing the NULL byte. A remote attacker could exploit this flaw to make a Ruby script access unexpected files and to bypass intended file system access restrictions.
- ID
- ALAS2-2024-2486
- Severity
- important
- URL
- https://alas.aws.amazon.com/AL2/ALAS-2024-2486.html
- Published
-
2024-02-29T10:03:00
(6 months ago) - Modified
-
2024-02-29T10:03:00
(6 months ago) - Rights
- Amazon Linux Security Team
- Other Advisories
-
- ALAS-2020-1422
- ALPINE:CVE-2019-15845
- ALPINE:CVE-2019-16201
- ALPINE:CVE-2019-16254
- ALPINE:CVE-2019-16255
- ALPINE:CVE-2021-41819
- ALSA-2021:2587
- ALSA-2021:2588
- ALSA-2022:0543
- ALSA-2022:5779
- ALSA-2022:6447
- ALSA-2022:6450
- ASA-201910-2
- DSA-4586-1
- DSA-4587-1
- DSA-5066-1
- DSA-5067-1
- ELSA-2021-2587
- ELSA-2021-2588
- ELSA-2022-0543
- ELSA-2022-5779
- ELSA-2022-6447
- ELSA-2022-6450
- FEDORA-2022-82a9edac27
- FEDORA-2022-8cf0124add
- FREEBSD:4548EC97-4D38-11EC-A539-0800270512F4
- FREEBSD:F7FCB75C-E537-11E9-863E-B9B7AF01BA9E
- GLSA-202003-06
- GLSA-202401-27
- MS:CVE-2019-15845
- MS:CVE-2019-16201
- MS:CVE-2019-16254
- MS:CVE-2019-16255
- MS:CVE-2021-41819
- openSUSE-SU-2020:0395-1
- RHSA-2021:2587
- RHSA-2021:2588
- RHSA-2022:0543
- RHSA-2022:5779
- RHSA-2022:6447
- RHSA-2022:6450
- RLSA-2021:2587
- RLSA-2021:2588
- RLSA-2022:0543
- RLSA-2022:5779
- RLSA-2022:6447
- RLSA-2022:6450
- RUBYSEC:CGI-2021-41819
- RUBYSEC:PUMA-2020-5247
- SUSE-SU-2020:0737-1
- SUSE-SU-2020:1570-1
- SUSE-SU-2022:3292-1
- USN-4201-1
- USN-5235-1
Source | # ID | Name | URL |
---|---|---|---|
CVE | CVE-2019-15845 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15845 | |
CVE | CVE-2019-16201 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16201 | |
CVE | CVE-2019-16254 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16254 | |
CVE | CVE-2019-16255 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16255 | |
CVE | CVE-2021-41819 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41819 |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:rpm/amazonlinux/rubygems?arch=noarch&distro=amazonlinux-2 | amazonlinux | rubygems | < 2.0.14.1-36.amzn2.0.7 | amazonlinux-2 | noarch | |
Affected | pkg:rpm/amazonlinux/rubygems-devel?arch=noarch&distro=amazonlinux-2 | amazonlinux | rubygems-devel | < 2.0.14.1-36.amzn2.0.7 | amazonlinux-2 | noarch | |
Affected | pkg:rpm/amazonlinux/rubygem-rdoc?arch=noarch&distro=amazonlinux-2 | amazonlinux | rubygem-rdoc | < 4.0.0-36.amzn2.0.7 | amazonlinux-2 | noarch | |
Affected | pkg:rpm/amazonlinux/rubygem-rake?arch=noarch&distro=amazonlinux-2 | amazonlinux | rubygem-rake | < 0.9.6-36.amzn2.0.7 | amazonlinux-2 | noarch | |
Affected | pkg:rpm/amazonlinux/rubygem-psych?arch=x86_64&distro=amazonlinux-2 | amazonlinux | rubygem-psych | < 2.0.0-36.amzn2.0.7 | amazonlinux-2 | x86_64 | |
Affected | pkg:rpm/amazonlinux/rubygem-psych?arch=i686&distro=amazonlinux-2 | amazonlinux | rubygem-psych | < 2.0.0-36.amzn2.0.7 | amazonlinux-2 | i686 | |
Affected | pkg:rpm/amazonlinux/rubygem-psych?arch=aarch64&distro=amazonlinux-2 | amazonlinux | rubygem-psych | < 2.0.0-36.amzn2.0.7 | amazonlinux-2 | aarch64 | |
Affected | pkg:rpm/amazonlinux/rubygem-minitest?arch=noarch&distro=amazonlinux-2 | amazonlinux | rubygem-minitest | < 4.3.2-36.amzn2.0.7 | amazonlinux-2 | noarch | |
Affected | pkg:rpm/amazonlinux/rubygem-json?arch=x86_64&distro=amazonlinux-2 | amazonlinux | rubygem-json | < 1.7.7-36.amzn2.0.7 | amazonlinux-2 | x86_64 | |
Affected | pkg:rpm/amazonlinux/rubygem-json?arch=i686&distro=amazonlinux-2 | amazonlinux | rubygem-json | < 1.7.7-36.amzn2.0.7 | amazonlinux-2 | i686 | |
Affected | pkg:rpm/amazonlinux/rubygem-json?arch=aarch64&distro=amazonlinux-2 | amazonlinux | rubygem-json | < 1.7.7-36.amzn2.0.7 | amazonlinux-2 | aarch64 | |
Affected | pkg:rpm/amazonlinux/rubygem-io-console?arch=x86_64&distro=amazonlinux-2 | amazonlinux | rubygem-io-console | < 0.4.2-36.amzn2.0.7 | amazonlinux-2 | x86_64 | |
Affected | pkg:rpm/amazonlinux/rubygem-io-console?arch=i686&distro=amazonlinux-2 | amazonlinux | rubygem-io-console | < 0.4.2-36.amzn2.0.7 | amazonlinux-2 | i686 | |
Affected | pkg:rpm/amazonlinux/rubygem-io-console?arch=aarch64&distro=amazonlinux-2 | amazonlinux | rubygem-io-console | < 0.4.2-36.amzn2.0.7 | amazonlinux-2 | aarch64 | |
Affected | pkg:rpm/amazonlinux/rubygem-bigdecimal?arch=x86_64&distro=amazonlinux-2 | amazonlinux | rubygem-bigdecimal | < 1.2.0-36.amzn2.0.7 | amazonlinux-2 | x86_64 | |
Affected | pkg:rpm/amazonlinux/rubygem-bigdecimal?arch=i686&distro=amazonlinux-2 | amazonlinux | rubygem-bigdecimal | < 1.2.0-36.amzn2.0.7 | amazonlinux-2 | i686 | |
Affected | pkg:rpm/amazonlinux/rubygem-bigdecimal?arch=aarch64&distro=amazonlinux-2 | amazonlinux | rubygem-bigdecimal | < 1.2.0-36.amzn2.0.7 | amazonlinux-2 | aarch64 | |
Affected | pkg:rpm/amazonlinux/ruby?arch=x86_64&distro=amazonlinux-2 | amazonlinux | ruby | < 2.0.0.648-36.amzn2.0.7 | amazonlinux-2 | x86_64 | |
Affected | pkg:rpm/amazonlinux/ruby?arch=i686&distro=amazonlinux-2 | amazonlinux | ruby | < 2.0.0.648-36.amzn2.0.7 | amazonlinux-2 | i686 | |
Affected | pkg:rpm/amazonlinux/ruby?arch=aarch64&distro=amazonlinux-2 | amazonlinux | ruby | < 2.0.0.648-36.amzn2.0.7 | amazonlinux-2 | aarch64 | |
Affected | pkg:rpm/amazonlinux/ruby-tcltk?arch=x86_64&distro=amazonlinux-2 | amazonlinux | ruby-tcltk | < 2.0.0.648-36.amzn2.0.7 | amazonlinux-2 | x86_64 | |
Affected | pkg:rpm/amazonlinux/ruby-tcltk?arch=i686&distro=amazonlinux-2 | amazonlinux | ruby-tcltk | < 2.0.0.648-36.amzn2.0.7 | amazonlinux-2 | i686 | |
Affected | pkg:rpm/amazonlinux/ruby-tcltk?arch=aarch64&distro=amazonlinux-2 | amazonlinux | ruby-tcltk | < 2.0.0.648-36.amzn2.0.7 | amazonlinux-2 | aarch64 | |
Affected | pkg:rpm/amazonlinux/ruby-libs?arch=x86_64&distro=amazonlinux-2 | amazonlinux | ruby-libs | < 2.0.0.648-36.amzn2.0.7 | amazonlinux-2 | x86_64 | |
Affected | pkg:rpm/amazonlinux/ruby-libs?arch=i686&distro=amazonlinux-2 | amazonlinux | ruby-libs | < 2.0.0.648-36.amzn2.0.7 | amazonlinux-2 | i686 | |
Affected | pkg:rpm/amazonlinux/ruby-libs?arch=aarch64&distro=amazonlinux-2 | amazonlinux | ruby-libs | < 2.0.0.648-36.amzn2.0.7 | amazonlinux-2 | aarch64 | |
Affected | pkg:rpm/amazonlinux/ruby-irb?arch=noarch&distro=amazonlinux-2 | amazonlinux | ruby-irb | < 2.0.0.648-36.amzn2.0.7 | amazonlinux-2 | noarch | |
Affected | pkg:rpm/amazonlinux/ruby-doc?arch=noarch&distro=amazonlinux-2 | amazonlinux | ruby-doc | < 2.0.0.648-36.amzn2.0.7 | amazonlinux-2 | noarch | |
Affected | pkg:rpm/amazonlinux/ruby-devel?arch=x86_64&distro=amazonlinux-2 | amazonlinux | ruby-devel | < 2.0.0.648-36.amzn2.0.7 | amazonlinux-2 | x86_64 | |
Affected | pkg:rpm/amazonlinux/ruby-devel?arch=i686&distro=amazonlinux-2 | amazonlinux | ruby-devel | < 2.0.0.648-36.amzn2.0.7 | amazonlinux-2 | i686 | |
Affected | pkg:rpm/amazonlinux/ruby-devel?arch=aarch64&distro=amazonlinux-2 | amazonlinux | ruby-devel | < 2.0.0.648-36.amzn2.0.7 | amazonlinux-2 | aarch64 | |
Affected | pkg:rpm/amazonlinux/ruby-debuginfo?arch=x86_64&distro=amazonlinux-2 | amazonlinux | ruby-debuginfo | < 2.0.0.648-36.amzn2.0.7 | amazonlinux-2 | x86_64 | |
Affected | pkg:rpm/amazonlinux/ruby-debuginfo?arch=i686&distro=amazonlinux-2 | amazonlinux | ruby-debuginfo | < 2.0.0.648-36.amzn2.0.7 | amazonlinux-2 | i686 | |
Affected | pkg:rpm/amazonlinux/ruby-debuginfo?arch=aarch64&distro=amazonlinux-2 | amazonlinux | ruby-debuginfo | < 2.0.0.648-36.amzn2.0.7 | amazonlinux-2 | aarch64 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |