Vulmon
Amazon Linux 2 Security Advisory: ALASRUBY2.6-2023-006
Advisory Release Date: 2023-08-21 20:59 Pacific
Advisory Updated Date: 2023-09-25 22:02 Pacific
An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack. (CVE-2020-25613)
A flaw was found in the way the Ruby REXML library parsed XML documents. Parsing a specially crafted XML document using REXML and writing parsed data back to a new XML document results in creating a document with a different structure. This issue could affect the integrity of processed data in applications using REXML that parse XML documents, write data back to XML, and re-parse them again. (CVE-2021-28965)
Affected Packages:
ruby
Issue Correction:
Run yum update ruby to update your system.
aarch64:
ruby-2.6.7-126.amzn2.aarch64
ruby-devel-2.6.7-126.amzn2.aarch64
ruby-libs-2.6.7-126.amzn2.aarch64
rubygem-bigdecimal-1.4.1-126.amzn2.aarch64
rubygem-io-console-0.4.7-126.amzn2.aarch64
rubygem-json-2.1.0-126.amzn2.aarch64
rubygem-openssl-2.1.2-126.amzn2.aarch64
rubygem-psych-3.1.0-126.amzn2.aarch64
ruby-debuginfo-2.6.7-126.amzn2.aarch64
i686:
ruby-2.6.7-126.amzn2.i686
ruby-devel-2.6.7-126.amzn2.i686
ruby-libs-2.6.7-126.amzn2.i686
rubygem-bigdecimal-1.4.1-126.amzn2.i686
rubygem-io-console-0.4.7-126.amzn2.i686
rubygem-json-2.1.0-126.amzn2.i686
rubygem-openssl-2.1.2-126.amzn2.i686
rubygem-psych-3.1.0-126.amzn2.i686
ruby-debuginfo-2.6.7-126.amzn2.i686
noarch:
rubygems-3.0.3.1-126.amzn2.noarch
rubygems-devel-3.0.3.1-126.amzn2.noarch
rubygem-rake-12.3.3-126.amzn2.noarch
rubygem-irb-1.0.0-126.amzn2.noarch
rubygem-rdoc-6.1.2-126.amzn2.noarch
ruby-doc-2.6.7-126.amzn2.noarch
rubygem-did_you_mean-1.3.0-126.amzn2.noarch
rubygem-minitest-5.11.3-126.amzn2.noarch
rubygem-power_assert-1.1.3-126.amzn2.noarch
rubygem-net-telnet-0.2.0-126.amzn2.noarch
rubygem-test-unit-3.2.9-126.amzn2.noarch
rubygem-xmlrpc-0.3.0-126.amzn2.noarch
rubygem-bundler-1.17.2-126.amzn2.noarch
src:
ruby-2.6.7-126.amzn2.src
x86_64:
ruby-2.6.7-126.amzn2.x86_64
ruby-devel-2.6.7-126.amzn2.x86_64
ruby-libs-2.6.7-126.amzn2.x86_64
rubygem-bigdecimal-1.4.1-126.amzn2.x86_64
rubygem-io-console-0.4.7-126.amzn2.x86_64
rubygem-json-2.1.0-126.amzn2.x86_64
rubygem-openssl-2.1.2-126.amzn2.x86_64
rubygem-psych-3.1.0-126.amzn2.x86_64
ruby-debuginfo-2.6.7-126.amzn2.x86_64