[DRE-maint] Bug#990815: ruby2.7: CVE-2021-31799 CVE-2021-31810 CVE-2021-32066
Moritz Mühlenhoff
jmm at inutil.org
Thu Jul 8 10:02:59 BST 2021
Source: ruby2.7
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for ruby2.7.
CVE-2021-31799[0]:
A command injection vulnerability in RDoc
https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/
https://github.com/ruby/ruby/commit/483f303d02e768b69e476e0b9be4ab2f26389522 (2.7)
CVE-2021-31810[1]:
Trusting FTP PASV responses vulnerability in Net::FTP
https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/
https://github.com/ruby/ruby/commit/3ca1399150ed4eacfd2fe1ee251b966f8d1ee469 (2.7)
CVE-2021-32066[2]:
A StartTLS stripping vulnerability in Net::IMAP
https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/
https://github.com/ruby/ruby/commit/a21a3b7d23704a01d34bd79d09dc37897e00922a (2.7)
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-31799
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31799
[1] https://security-tracker.debian.org/tracker/CVE-2021-31810
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31810
[2] https://security-tracker.debian.org/tracker/CVE-2021-32066
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32066
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-ruby-extras-maintainers
mailing list