[ALAS2-2024-2486] Amazon Linux 2 2017.12 - ALAS2-2024-2486: important priority package update for ruby

Severity Important

Affected Packages 34

CVEs 5

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities:
CVE-2021-41819:
CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby.

CVE-2019-16255:
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.

CVE-2019-16254:
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.

CVE-2019-16201:
WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.

CVE-2019-15845:
A flaw was discovered in Ruby in the way certain functions handled strings containing NULL bytes. Specifically, the built-in methods File.fnmatch and its alias File.fnmatch? did not properly handle path patterns containing the NULL byte. A remote attacker could exploit this flaw to make a Ruby script access unexpected files and to bypass intended file system access restrictions.

Package	Affected Version
pkg:rpm/amazonlinux/rubygems?arch=noarch&distro=amazonlinux-2	< 2.0.14.1-36.amzn2.0.7
pkg:rpm/amazonlinux/rubygems-devel?arch=noarch&distro=amazonlinux-2	< 2.0.14.1-36.amzn2.0.7
pkg:rpm/amazonlinux/rubygem-rdoc?arch=noarch&distro=amazonlinux-2	< 4.0.0-36.amzn2.0.7
pkg:rpm/amazonlinux/rubygem-rake?arch=noarch&distro=amazonlinux-2	< 0.9.6-36.amzn2.0.7
pkg:rpm/amazonlinux/rubygem-psych?arch=x86_64&distro=amazonlinux-2	< 2.0.0-36.amzn2.0.7
pkg:rpm/amazonlinux/rubygem-psych?arch=i686&distro=amazonlinux-2	< 2.0.0-36.amzn2.0.7
pkg:rpm/amazonlinux/rubygem-psych?arch=aarch64&distro=amazonlinux-2	< 2.0.0-36.amzn2.0.7
pkg:rpm/amazonlinux/rubygem-minitest?arch=noarch&distro=amazonlinux-2	< 4.3.2-36.amzn2.0.7
pkg:rpm/amazonlinux/rubygem-json?arch=x86_64&distro=amazonlinux-2	< 1.7.7-36.amzn2.0.7
pkg:rpm/amazonlinux/rubygem-json?arch=i686&distro=amazonlinux-2	< 1.7.7-36.amzn2.0.7
pkg:rpm/amazonlinux/rubygem-json?arch=aarch64&distro=amazonlinux-2	< 1.7.7-36.amzn2.0.7
pkg:rpm/amazonlinux/rubygem-io-console?arch=x86_64&distro=amazonlinux-2	< 0.4.2-36.amzn2.0.7
pkg:rpm/amazonlinux/rubygem-io-console?arch=i686&distro=amazonlinux-2	< 0.4.2-36.amzn2.0.7
pkg:rpm/amazonlinux/rubygem-io-console?arch=aarch64&distro=amazonlinux-2	< 0.4.2-36.amzn2.0.7
pkg:rpm/amazonlinux/rubygem-bigdecimal?arch=x86_64&distro=amazonlinux-2	< 1.2.0-36.amzn2.0.7
pkg:rpm/amazonlinux/rubygem-bigdecimal?arch=i686&distro=amazonlinux-2	< 1.2.0-36.amzn2.0.7
pkg:rpm/amazonlinux/rubygem-bigdecimal?arch=aarch64&distro=amazonlinux-2	< 1.2.0-36.amzn2.0.7
pkg:rpm/amazonlinux/ruby?arch=x86_64&distro=amazonlinux-2	< 2.0.0.648-36.amzn2.0.7
pkg:rpm/amazonlinux/ruby?arch=i686&distro=amazonlinux-2	< 2.0.0.648-36.amzn2.0.7
pkg:rpm/amazonlinux/ruby?arch=aarch64&distro=amazonlinux-2	< 2.0.0.648-36.amzn2.0.7
pkg:rpm/amazonlinux/ruby-tcltk?arch=x86_64&distro=amazonlinux-2	< 2.0.0.648-36.amzn2.0.7
pkg:rpm/amazonlinux/ruby-tcltk?arch=i686&distro=amazonlinux-2	< 2.0.0.648-36.amzn2.0.7
pkg:rpm/amazonlinux/ruby-tcltk?arch=aarch64&distro=amazonlinux-2	< 2.0.0.648-36.amzn2.0.7
pkg:rpm/amazonlinux/ruby-libs?arch=x86_64&distro=amazonlinux-2	< 2.0.0.648-36.amzn2.0.7
pkg:rpm/amazonlinux/ruby-libs?arch=i686&distro=amazonlinux-2	< 2.0.0.648-36.amzn2.0.7
pkg:rpm/amazonlinux/ruby-libs?arch=aarch64&distro=amazonlinux-2	< 2.0.0.648-36.amzn2.0.7
pkg:rpm/amazonlinux/ruby-irb?arch=noarch&distro=amazonlinux-2	< 2.0.0.648-36.amzn2.0.7
pkg:rpm/amazonlinux/ruby-doc?arch=noarch&distro=amazonlinux-2	< 2.0.0.648-36.amzn2.0.7
pkg:rpm/amazonlinux/ruby-devel?arch=x86_64&distro=amazonlinux-2	< 2.0.0.648-36.amzn2.0.7
pkg:rpm/amazonlinux/ruby-devel?arch=i686&distro=amazonlinux-2	< 2.0.0.648-36.amzn2.0.7
pkg:rpm/amazonlinux/ruby-devel?arch=aarch64&distro=amazonlinux-2	< 2.0.0.648-36.amzn2.0.7
pkg:rpm/amazonlinux/ruby-debuginfo?arch=x86_64&distro=amazonlinux-2	< 2.0.0.648-36.amzn2.0.7
pkg:rpm/amazonlinux/ruby-debuginfo?arch=i686&distro=amazonlinux-2	< 2.0.0.648-36.amzn2.0.7
pkg:rpm/amazonlinux/ruby-debuginfo?arch=aarch64&distro=amazonlinux-2	< 2.0.0.648-36.amzn2.0.7

ID

ALAS2-2024-2486

Severity

important

URL

https://alas.aws.amazon.com/AL2/ALAS-2024-2486.html

Published

2024-02-29T10:03:00
(6 months ago)

Modified

2024-02-29T10:03:00
(6 months ago)

Rights

Amazon Linux Security Team

Other Advisories

Source	# ID	URL
CVE	CVE-2019-15845	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15845
CVE	CVE-2019-16201	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16201
CVE	CVE-2019-16254	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16254
CVE	CVE-2019-16255	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16255
CVE	CVE-2021-41819	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41819

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch
Affected	pkg:rpm/amazonlinux/rubygems?arch=noarch&distro=amazonlinux-2	amazonlinux	rubygems	< 2.0.14.1-36.amzn2.0.7	amazonlinux-2	noarch
Affected	pkg:rpm/amazonlinux/rubygems-devel?arch=noarch&distro=amazonlinux-2	amazonlinux	rubygems-devel	< 2.0.14.1-36.amzn2.0.7	amazonlinux-2	noarch
Affected	pkg:rpm/amazonlinux/rubygem-rdoc?arch=noarch&distro=amazonlinux-2	amazonlinux	rubygem-rdoc	< 4.0.0-36.amzn2.0.7	amazonlinux-2	noarch
Affected	pkg:rpm/amazonlinux/rubygem-rake?arch=noarch&distro=amazonlinux-2	amazonlinux	rubygem-rake	< 0.9.6-36.amzn2.0.7	amazonlinux-2	noarch
Affected	pkg:rpm/amazonlinux/rubygem-psych?arch=x86_64&distro=amazonlinux-2	amazonlinux	rubygem-psych	< 2.0.0-36.amzn2.0.7	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/rubygem-psych?arch=i686&distro=amazonlinux-2	amazonlinux	rubygem-psych	< 2.0.0-36.amzn2.0.7	amazonlinux-2	i686
Affected	pkg:rpm/amazonlinux/rubygem-psych?arch=aarch64&distro=amazonlinux-2	amazonlinux	rubygem-psych	< 2.0.0-36.amzn2.0.7	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/rubygem-minitest?arch=noarch&distro=amazonlinux-2	amazonlinux	rubygem-minitest	< 4.3.2-36.amzn2.0.7	amazonlinux-2	noarch
Affected	pkg:rpm/amazonlinux/rubygem-json?arch=x86_64&distro=amazonlinux-2	amazonlinux	rubygem-json	< 1.7.7-36.amzn2.0.7	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/rubygem-json?arch=i686&distro=amazonlinux-2	amazonlinux	rubygem-json	< 1.7.7-36.amzn2.0.7	amazonlinux-2	i686
Affected	pkg:rpm/amazonlinux/rubygem-json?arch=aarch64&distro=amazonlinux-2	amazonlinux	rubygem-json	< 1.7.7-36.amzn2.0.7	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/rubygem-io-console?arch=x86_64&distro=amazonlinux-2	amazonlinux	rubygem-io-console	< 0.4.2-36.amzn2.0.7	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/rubygem-io-console?arch=i686&distro=amazonlinux-2	amazonlinux	rubygem-io-console	< 0.4.2-36.amzn2.0.7	amazonlinux-2	i686
Affected	pkg:rpm/amazonlinux/rubygem-io-console?arch=aarch64&distro=amazonlinux-2	amazonlinux	rubygem-io-console	< 0.4.2-36.amzn2.0.7	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/rubygem-bigdecimal?arch=x86_64&distro=amazonlinux-2	amazonlinux	rubygem-bigdecimal	< 1.2.0-36.amzn2.0.7	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/rubygem-bigdecimal?arch=i686&distro=amazonlinux-2	amazonlinux	rubygem-bigdecimal	< 1.2.0-36.amzn2.0.7	amazonlinux-2	i686
Affected	pkg:rpm/amazonlinux/rubygem-bigdecimal?arch=aarch64&distro=amazonlinux-2	amazonlinux	rubygem-bigdecimal	< 1.2.0-36.amzn2.0.7	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/ruby?arch=x86_64&distro=amazonlinux-2	amazonlinux	ruby	< 2.0.0.648-36.amzn2.0.7	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/ruby?arch=i686&distro=amazonlinux-2	amazonlinux	ruby	< 2.0.0.648-36.amzn2.0.7	amazonlinux-2	i686
Affected	pkg:rpm/amazonlinux/ruby?arch=aarch64&distro=amazonlinux-2	amazonlinux	ruby	< 2.0.0.648-36.amzn2.0.7	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/ruby-tcltk?arch=x86_64&distro=amazonlinux-2	amazonlinux	ruby-tcltk	< 2.0.0.648-36.amzn2.0.7	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/ruby-tcltk?arch=i686&distro=amazonlinux-2	amazonlinux	ruby-tcltk	< 2.0.0.648-36.amzn2.0.7	amazonlinux-2	i686
Affected	pkg:rpm/amazonlinux/ruby-tcltk?arch=aarch64&distro=amazonlinux-2	amazonlinux	ruby-tcltk	< 2.0.0.648-36.amzn2.0.7	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/ruby-libs?arch=x86_64&distro=amazonlinux-2	amazonlinux	ruby-libs	< 2.0.0.648-36.amzn2.0.7	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/ruby-libs?arch=i686&distro=amazonlinux-2	amazonlinux	ruby-libs	< 2.0.0.648-36.amzn2.0.7	amazonlinux-2	i686
Affected	pkg:rpm/amazonlinux/ruby-libs?arch=aarch64&distro=amazonlinux-2	amazonlinux	ruby-libs	< 2.0.0.648-36.amzn2.0.7	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/ruby-irb?arch=noarch&distro=amazonlinux-2	amazonlinux	ruby-irb	< 2.0.0.648-36.amzn2.0.7	amazonlinux-2	noarch
Affected	pkg:rpm/amazonlinux/ruby-doc?arch=noarch&distro=amazonlinux-2	amazonlinux	ruby-doc	< 2.0.0.648-36.amzn2.0.7	amazonlinux-2	noarch
Affected	pkg:rpm/amazonlinux/ruby-devel?arch=x86_64&distro=amazonlinux-2	amazonlinux	ruby-devel	< 2.0.0.648-36.amzn2.0.7	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/ruby-devel?arch=i686&distro=amazonlinux-2	amazonlinux	ruby-devel	< 2.0.0.648-36.amzn2.0.7	amazonlinux-2	i686
Affected	pkg:rpm/amazonlinux/ruby-devel?arch=aarch64&distro=amazonlinux-2	amazonlinux	ruby-devel	< 2.0.0.648-36.amzn2.0.7	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/ruby-debuginfo?arch=x86_64&distro=amazonlinux-2	amazonlinux	ruby-debuginfo	< 2.0.0.648-36.amzn2.0.7	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/ruby-debuginfo?arch=i686&distro=amazonlinux-2	amazonlinux	ruby-debuginfo	< 2.0.0.648-36.amzn2.0.7	amazonlinux-2	i686
Affected	pkg:rpm/amazonlinux/ruby-debuginfo?arch=aarch64&distro=amazonlinux-2	amazonlinux	ruby-debuginfo	< 2.0.0.648-36.amzn2.0.7	amazonlinux-2	aarch64

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date