Debian Bug report logs -
#990815
ruby2.7: CVE-2021-31799 CVE-2021-31810 CVE-2021-32066
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
:
Bug#990815
; Package src:ruby2.7
.
(Thu, 08 Jul 2021 09:06:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
.
(Thu, 08 Jul 2021 09:06:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ruby2.7
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for ruby2.7.
CVE-2021-31799[0]:
A command injection vulnerability in RDoc
https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/
https://github.com/ruby/ruby/commit/483f303d02e768b69e476e0b9be4ab2f26389522 (2.7)
CVE-2021-31810[1]:
Trusting FTP PASV responses vulnerability in Net::FTP
https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/
https://github.com/ruby/ruby/commit/3ca1399150ed4eacfd2fe1ee251b966f8d1ee469 (2.7)
CVE-2021-32066[2]:
A StartTLS stripping vulnerability in Net::IMAP
https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/
https://github.com/ruby/ruby/commit/a21a3b7d23704a01d34bd79d09dc37897e00922a (2.7)
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-31799
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31799
[1] https://security-tracker.debian.org/tracker/CVE-2021-31810
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31810
[2] https://security-tracker.debian.org/tracker/CVE-2021-32066
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32066
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 08 Jul 2021 12:33:03 GMT) (full text, mbox, link).
Marked as found in versions ruby2.7/2.7.3-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 08 Jul 2021 12:33:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Jul 8 16:16:17 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.