Headline
RHSA-2022:6855: Red Hat Security Advisory: rh-ruby30-ruby security, bug fix, and enhancement update
An update for rh-ruby30-ruby is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2021-41816: ruby: buffer overflow in CGI.escape_html
- CVE-2021-41817: ruby: Regular expression denial of service vulnerability of Date parsing methods
- CVE-2021-41819: ruby: Cookie prefix spoofing in CGI::Cookie.parse
- CVE-2022-28738: Ruby: Double free in Regexp compilation
- CVE-2022-28739: Ruby: Buffer overrun in String-to-Float conversion
Synopsis
Moderate: rh-ruby30-ruby security, bug fix, and enhancement update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for rh-ruby30-ruby is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.
The following packages have been upgraded to a later upstream version: rh-ruby30-ruby (3.0.4). (BZ#2128628)
Security Fix(es):
- ruby: buffer overflow in CGI.escape_html (CVE-2021-41816)
- ruby: Regular expression denial of service vulnerability of Date parsing methods (CVE-2021-41817)
- ruby: Cookie prefix spoofing in CGI::Cookie.parse (CVE-2021-41819)
- Ruby: Double free in Regexp compilation (CVE-2022-28738)
- Ruby: Buffer overrun in String-to-Float conversion (CVE-2022-28739)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
- rh-ruby30 ruby: User-installed rubygems plugins are not being loaded (BZ#2128629)
Affected Products
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
- Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7 s390x
- Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7 ppc64le
- Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64
Fixes
- BZ - 2025104 - CVE-2021-41817 ruby: Regular expression denial of service vulnerability of Date parsing methods
- BZ - 2026752 - CVE-2021-41816 ruby: buffer overflow in CGI.escape_html
- BZ - 2026757 - CVE-2021-41819 ruby: Cookie prefix spoofing in CGI::Cookie.parse
- BZ - 2075685 - CVE-2022-28738 Ruby: Double free in Regexp compilation
- BZ - 2075687 - CVE-2022-28739 Ruby: Buffer overrun in String-to-Float conversion
- BZ - 2128628 - rh-ruby30-ruby: Rebase to the latest Ruby 3.0 release [rhscl-3] [rhscl-3.8.z]
- BZ - 2128629 - rh-ruby30 ruby: User-installed rubygems plugins are not being loaded [rhscl-3.8.z]
CVEs
- CVE-2021-41816
- CVE-2021-41817
- CVE-2021-41819
- CVE-2022-28738
- CVE-2022-28739
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7
SRPM
rh-ruby30-ruby-3.0.4-149.el7.src.rpm
SHA-256: b7ec6c7ecabd39f3364bcae1257d7fcce22597b48adc1273d1238d36ee566b5c
x86_64
rh-ruby30-ruby-3.0.4-149.el7.x86_64.rpm
SHA-256: 620163dc82dbc9b17cb356a437c559467b9ebbd97d33e6d951cd58f67d089329
rh-ruby30-ruby-debuginfo-3.0.4-149.el7.x86_64.rpm
SHA-256: 1c1becee8e0688ba251ab20b4f04e708ae87d1332aa1c339ab65856df52e6f07
rh-ruby30-ruby-default-gems-3.0.4-149.el7.noarch.rpm
SHA-256: ccf554318e61464b6eda8408c16a1b8005f0765d8dc39a6d76e73d06d89a9710
rh-ruby30-ruby-devel-3.0.4-149.el7.x86_64.rpm
SHA-256: 8e3c44c72ce6a68f88352872778b783a15408123a8045d0502a7605f86015b47
rh-ruby30-ruby-doc-3.0.4-149.el7.noarch.rpm
SHA-256: 8348d300ff6b0f1ee2171a8f1d8c87551d9ab734d8f9468dcc5634c0754ae443
rh-ruby30-ruby-libs-3.0.4-149.el7.x86_64.rpm
SHA-256: 748d82756a0993a166165b784c64ea0c997f86b00ead4c50cf750ccb141e897b
rh-ruby30-rubygem-bigdecimal-3.0.0-149.el7.x86_64.rpm
SHA-256: a773c0aba303a71fc27030698cf66c59d7d4938cffa10fd9c6c66d6532139c6e
rh-ruby30-rubygem-bundler-2.2.33-149.el7.noarch.rpm
SHA-256: 16da27d93ec2f61e92e82bf7342026204b5c42932616e3b5e31cc4d8d64b26aa
rh-ruby30-rubygem-io-console-0.5.7-149.el7.x86_64.rpm
SHA-256: a69422b818f5dfb5c2da1978c1c1c185881e6cd57c8dcb6a6fcf4d3f20071d91
rh-ruby30-rubygem-irb-1.3.5-149.el7.noarch.rpm
SHA-256: 1711976a180dde61ba5015c2fb45dd214dc6a87b6a5706b800dce654bb85ff0c
rh-ruby30-rubygem-json-2.5.1-149.el7.x86_64.rpm
SHA-256: 77256d24fe58e5214c2182f87e19d0a644a4f2ef13f7dc99f727cadacc23e6af
rh-ruby30-rubygem-minitest-5.14.2-149.el7.noarch.rpm
SHA-256: 4e1d513a7d9359fabca41577095a39645584d083e06a43e5ad5ab537d36d416d
rh-ruby30-rubygem-power_assert-1.2.0-149.el7.noarch.rpm
SHA-256: 95d35e6ecd5f9c7dde75304d1a88bb687c7b743db72157a273e89dd7d71ed0c2
rh-ruby30-rubygem-psych-3.3.2-149.el7.x86_64.rpm
SHA-256: e2f55831b6e63e85c0f35a69aab27acbf516a5f2efd7a0db85480917699b5e98
rh-ruby30-rubygem-rake-13.0.3-149.el7.noarch.rpm
SHA-256: 880f6ac34758a0dd26d6ca5e81f4bfe1b25d2749611e0a1891249ca21063b7ac
rh-ruby30-rubygem-rbs-1.4.0-149.el7.noarch.rpm
SHA-256: b2711b7ab2fe60ab997d4712d222d781f26e39a81f0db476c4b3a7956ec2a33a
rh-ruby30-rubygem-rexml-3.2.5-149.el7.noarch.rpm
SHA-256: 9fc333ab0f5592d86738b7dc7d20bdeb1b8353250404d882dda01b7c1320e38f
rh-ruby30-rubygem-rss-0.2.9-149.el7.noarch.rpm
SHA-256: 825199635a2273093c255489e1303c3a68f8e5d5107fba9403b9fb66384ceafd
rh-ruby30-rubygem-test-unit-3.3.7-149.el7.noarch.rpm
SHA-256: 364e9ab21fa54a873cf0babb701cf885a508b59bb2b0430ff70ebec84431ead0
rh-ruby30-rubygem-typeprof-0.15.2-149.el7.noarch.rpm
SHA-256: 374d365fdd0bb88d2af834b5728c435c8530595b755179a97ba973e6b74465a5
rh-ruby30-rubygems-3.2.33-149.el7.noarch.rpm
SHA-256: 3e91d2300072655b64b71f342b45bef32666f7b4504a6381f2bc586128e25136
rh-ruby30-rubygems-devel-3.2.33-149.el7.noarch.rpm
SHA-256: 7895bbdf93cd6bbfb4d7327c3adfb25d8c766fdea645eccdefd9984cc12e689f
Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7
SRPM
rh-ruby30-ruby-3.0.4-149.el7.src.rpm
SHA-256: b7ec6c7ecabd39f3364bcae1257d7fcce22597b48adc1273d1238d36ee566b5c
s390x
rh-ruby30-ruby-3.0.4-149.el7.s390x.rpm
SHA-256: 2908476527f9c6708dffb40801f1506863246b17b97b2442738f12ca1b551697
rh-ruby30-ruby-debuginfo-3.0.4-149.el7.s390x.rpm
SHA-256: 8c8e9dea621f0b673382b3ad73a22d4cd26fe63e2124415c5f3a73ed453003f2
rh-ruby30-ruby-default-gems-3.0.4-149.el7.noarch.rpm
SHA-256: ccf554318e61464b6eda8408c16a1b8005f0765d8dc39a6d76e73d06d89a9710
rh-ruby30-ruby-devel-3.0.4-149.el7.s390x.rpm
SHA-256: 2e7063c031d622c5585ad055599d48ed556b1a67825d36d6a256dd5a24cecaa4
rh-ruby30-ruby-doc-3.0.4-149.el7.noarch.rpm
SHA-256: 8348d300ff6b0f1ee2171a8f1d8c87551d9ab734d8f9468dcc5634c0754ae443
rh-ruby30-ruby-libs-3.0.4-149.el7.s390x.rpm
SHA-256: 199cfd8a5f8512734d156464bc25000b307a731965dad99a828d8151176c2ecb
rh-ruby30-rubygem-bigdecimal-3.0.0-149.el7.s390x.rpm
SHA-256: ed9cc283f743336be65543258089e2d863025fdccfe4cf0cedd5fc3341e0a89f
rh-ruby30-rubygem-bundler-2.2.33-149.el7.noarch.rpm
SHA-256: 16da27d93ec2f61e92e82bf7342026204b5c42932616e3b5e31cc4d8d64b26aa
rh-ruby30-rubygem-io-console-0.5.7-149.el7.s390x.rpm
SHA-256: 4ecb11997d3aa198c6d73a06bd6371cd700357b869c7d02c754b9df2b62bf24b
rh-ruby30-rubygem-irb-1.3.5-149.el7.noarch.rpm
SHA-256: 1711976a180dde61ba5015c2fb45dd214dc6a87b6a5706b800dce654bb85ff0c
rh-ruby30-rubygem-json-2.5.1-149.el7.s390x.rpm
SHA-256: 34a12ac371b0c3fbd7fddff396094e0dd1b04fe43c461f9a5f6ef2e23e331206
rh-ruby30-rubygem-minitest-5.14.2-149.el7.noarch.rpm
SHA-256: 4e1d513a7d9359fabca41577095a39645584d083e06a43e5ad5ab537d36d416d
rh-ruby30-rubygem-power_assert-1.2.0-149.el7.noarch.rpm
SHA-256: 95d35e6ecd5f9c7dde75304d1a88bb687c7b743db72157a273e89dd7d71ed0c2
rh-ruby30-rubygem-psych-3.3.2-149.el7.s390x.rpm
SHA-256: 0debf021bac6cc24a2db963f33092fb8a97da0b878978426267bc813320255b0
rh-ruby30-rubygem-rake-13.0.3-149.el7.noarch.rpm
SHA-256: 880f6ac34758a0dd26d6ca5e81f4bfe1b25d2749611e0a1891249ca21063b7ac
rh-ruby30-rubygem-rbs-1.4.0-149.el7.noarch.rpm
SHA-256: b2711b7ab2fe60ab997d4712d222d781f26e39a81f0db476c4b3a7956ec2a33a
rh-ruby30-rubygem-rexml-3.2.5-149.el7.noarch.rpm
SHA-256: 9fc333ab0f5592d86738b7dc7d20bdeb1b8353250404d882dda01b7c1320e38f
rh-ruby30-rubygem-rss-0.2.9-149.el7.noarch.rpm
SHA-256: 825199635a2273093c255489e1303c3a68f8e5d5107fba9403b9fb66384ceafd
rh-ruby30-rubygem-test-unit-3.3.7-149.el7.noarch.rpm
SHA-256: 364e9ab21fa54a873cf0babb701cf885a508b59bb2b0430ff70ebec84431ead0
rh-ruby30-rubygem-typeprof-0.15.2-149.el7.noarch.rpm
SHA-256: 374d365fdd0bb88d2af834b5728c435c8530595b755179a97ba973e6b74465a5
rh-ruby30-rubygems-3.2.33-149.el7.noarch.rpm
SHA-256: 3e91d2300072655b64b71f342b45bef32666f7b4504a6381f2bc586128e25136
rh-ruby30-rubygems-devel-3.2.33-149.el7.noarch.rpm
SHA-256: 7895bbdf93cd6bbfb4d7327c3adfb25d8c766fdea645eccdefd9984cc12e689f
Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7
SRPM
rh-ruby30-ruby-3.0.4-149.el7.src.rpm
SHA-256: b7ec6c7ecabd39f3364bcae1257d7fcce22597b48adc1273d1238d36ee566b5c
ppc64le
rh-ruby30-ruby-3.0.4-149.el7.ppc64le.rpm
SHA-256: 5e6bb9e0d4aca5baf3d85ece86d691149f9df089d1263495fddfd28edf5cffe5
rh-ruby30-ruby-debuginfo-3.0.4-149.el7.ppc64le.rpm
SHA-256: 8b49086b9640bcbc7335be8bca7543d321e0a81a23e2e90e4ed4e178d031cfc5
rh-ruby30-ruby-default-gems-3.0.4-149.el7.noarch.rpm
SHA-256: ccf554318e61464b6eda8408c16a1b8005f0765d8dc39a6d76e73d06d89a9710
rh-ruby30-ruby-devel-3.0.4-149.el7.ppc64le.rpm
SHA-256: 1c9da70261a5db7c6594e3e3525d2deab5159c35e96b2b08993cbeb8305c0238
rh-ruby30-ruby-doc-3.0.4-149.el7.noarch.rpm
SHA-256: 8348d300ff6b0f1ee2171a8f1d8c87551d9ab734d8f9468dcc5634c0754ae443
rh-ruby30-ruby-libs-3.0.4-149.el7.ppc64le.rpm
SHA-256: 12367ff2536bc7e71b94fb576fcbb5287129cfa721b9e7bf7750e90628bba9a5
rh-ruby30-rubygem-bigdecimal-3.0.0-149.el7.ppc64le.rpm
SHA-256: 6f9b0b1ded5832cf1d4fbd876460b5346c544042283c732f12c62a11b7a736d9
rh-ruby30-rubygem-bundler-2.2.33-149.el7.noarch.rpm
SHA-256: 16da27d93ec2f61e92e82bf7342026204b5c42932616e3b5e31cc4d8d64b26aa
rh-ruby30-rubygem-io-console-0.5.7-149.el7.ppc64le.rpm
SHA-256: 78cc0dcdd23719841441e41ca15b8f31d2aa6ffb3c09d1707c1b73ff36b803df
rh-ruby30-rubygem-irb-1.3.5-149.el7.noarch.rpm
SHA-256: 1711976a180dde61ba5015c2fb45dd214dc6a87b6a5706b800dce654bb85ff0c
rh-ruby30-rubygem-json-2.5.1-149.el7.ppc64le.rpm
SHA-256: e0cf07935eabdcaf172146f67586a0c45cd60bfaf4772501a10e331d7f920ab5
rh-ruby30-rubygem-minitest-5.14.2-149.el7.noarch.rpm
SHA-256: 4e1d513a7d9359fabca41577095a39645584d083e06a43e5ad5ab537d36d416d
rh-ruby30-rubygem-power_assert-1.2.0-149.el7.noarch.rpm
SHA-256: 95d35e6ecd5f9c7dde75304d1a88bb687c7b743db72157a273e89dd7d71ed0c2
rh-ruby30-rubygem-psych-3.3.2-149.el7.ppc64le.rpm
SHA-256: 20776d94176b70de5aad5e7d5b1bcea6a33c38f8078d284a3b1ef92d9384ea50
rh-ruby30-rubygem-rake-13.0.3-149.el7.noarch.rpm
SHA-256: 880f6ac34758a0dd26d6ca5e81f4bfe1b25d2749611e0a1891249ca21063b7ac
rh-ruby30-rubygem-rbs-1.4.0-149.el7.noarch.rpm
SHA-256: b2711b7ab2fe60ab997d4712d222d781f26e39a81f0db476c4b3a7956ec2a33a
rh-ruby30-rubygem-rexml-3.2.5-149.el7.noarch.rpm
SHA-256: 9fc333ab0f5592d86738b7dc7d20bdeb1b8353250404d882dda01b7c1320e38f
rh-ruby30-rubygem-rss-0.2.9-149.el7.noarch.rpm
SHA-256: 825199635a2273093c255489e1303c3a68f8e5d5107fba9403b9fb66384ceafd
rh-ruby30-rubygem-test-unit-3.3.7-149.el7.noarch.rpm
SHA-256: 364e9ab21fa54a873cf0babb701cf885a508b59bb2b0430ff70ebec84431ead0
rh-ruby30-rubygem-typeprof-0.15.2-149.el7.noarch.rpm
SHA-256: 374d365fdd0bb88d2af834b5728c435c8530595b755179a97ba973e6b74465a5
rh-ruby30-rubygems-3.2.33-149.el7.noarch.rpm
SHA-256: 3e91d2300072655b64b71f342b45bef32666f7b4504a6381f2bc586128e25136
rh-ruby30-rubygems-devel-3.2.33-149.el7.noarch.rpm
SHA-256: 7895bbdf93cd6bbfb4d7327c3adfb25d8c766fdea645eccdefd9984cc12e689f
Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7
SRPM
rh-ruby30-ruby-3.0.4-149.el7.src.rpm
SHA-256: b7ec6c7ecabd39f3364bcae1257d7fcce22597b48adc1273d1238d36ee566b5c
x86_64
rh-ruby30-ruby-3.0.4-149.el7.x86_64.rpm
SHA-256: 620163dc82dbc9b17cb356a437c559467b9ebbd97d33e6d951cd58f67d089329
rh-ruby30-ruby-debuginfo-3.0.4-149.el7.x86_64.rpm
SHA-256: 1c1becee8e0688ba251ab20b4f04e708ae87d1332aa1c339ab65856df52e6f07
rh-ruby30-ruby-default-gems-3.0.4-149.el7.noarch.rpm
SHA-256: ccf554318e61464b6eda8408c16a1b8005f0765d8dc39a6d76e73d06d89a9710
rh-ruby30-ruby-devel-3.0.4-149.el7.x86_64.rpm
SHA-256: 8e3c44c72ce6a68f88352872778b783a15408123a8045d0502a7605f86015b47
rh-ruby30-ruby-doc-3.0.4-149.el7.noarch.rpm
SHA-256: 8348d300ff6b0f1ee2171a8f1d8c87551d9ab734d8f9468dcc5634c0754ae443
rh-ruby30-ruby-libs-3.0.4-149.el7.x86_64.rpm
SHA-256: 748d82756a0993a166165b784c64ea0c997f86b00ead4c50cf750ccb141e897b
rh-ruby30-rubygem-bigdecimal-3.0.0-149.el7.x86_64.rpm
SHA-256: a773c0aba303a71fc27030698cf66c59d7d4938cffa10fd9c6c66d6532139c6e
rh-ruby30-rubygem-bundler-2.2.33-149.el7.noarch.rpm
SHA-256: 16da27d93ec2f61e92e82bf7342026204b5c42932616e3b5e31cc4d8d64b26aa
rh-ruby30-rubygem-io-console-0.5.7-149.el7.x86_64.rpm
SHA-256: a69422b818f5dfb5c2da1978c1c1c185881e6cd57c8dcb6a6fcf4d3f20071d91
rh-ruby30-rubygem-irb-1.3.5-149.el7.noarch.rpm
SHA-256: 1711976a180dde61ba5015c2fb45dd214dc6a87b6a5706b800dce654bb85ff0c
rh-ruby30-rubygem-json-2.5.1-149.el7.x86_64.rpm
SHA-256: 77256d24fe58e5214c2182f87e19d0a644a4f2ef13f7dc99f727cadacc23e6af
rh-ruby30-rubygem-minitest-5.14.2-149.el7.noarch.rpm
SHA-256: 4e1d513a7d9359fabca41577095a39645584d083e06a43e5ad5ab537d36d416d
rh-ruby30-rubygem-power_assert-1.2.0-149.el7.noarch.rpm
SHA-256: 95d35e6ecd5f9c7dde75304d1a88bb687c7b743db72157a273e89dd7d71ed0c2
rh-ruby30-rubygem-psych-3.3.2-149.el7.x86_64.rpm
SHA-256: e2f55831b6e63e85c0f35a69aab27acbf516a5f2efd7a0db85480917699b5e98
rh-ruby30-rubygem-rake-13.0.3-149.el7.noarch.rpm
SHA-256: 880f6ac34758a0dd26d6ca5e81f4bfe1b25d2749611e0a1891249ca21063b7ac
rh-ruby30-rubygem-rbs-1.4.0-149.el7.noarch.rpm
SHA-256: b2711b7ab2fe60ab997d4712d222d781f26e39a81f0db476c4b3a7956ec2a33a
rh-ruby30-rubygem-rexml-3.2.5-149.el7.noarch.rpm
SHA-256: 9fc333ab0f5592d86738b7dc7d20bdeb1b8353250404d882dda01b7c1320e38f
rh-ruby30-rubygem-rss-0.2.9-149.el7.noarch.rpm
SHA-256: 825199635a2273093c255489e1303c3a68f8e5d5107fba9403b9fb66384ceafd
rh-ruby30-rubygem-test-unit-3.3.7-149.el7.noarch.rpm
SHA-256: 364e9ab21fa54a873cf0babb701cf885a508b59bb2b0430ff70ebec84431ead0
rh-ruby30-rubygem-typeprof-0.15.2-149.el7.noarch.rpm
SHA-256: 374d365fdd0bb88d2af834b5728c435c8530595b755179a97ba973e6b74465a5
rh-ruby30-rubygems-3.2.33-149.el7.noarch.rpm
SHA-256: 3e91d2300072655b64b71f342b45bef32666f7b4504a6381f2bc586128e25136
rh-ruby30-rubygems-devel-3.2.33-149.el7.noarch.rpm
SHA-256: 7895bbdf93cd6bbfb4d7327c3adfb25d8c766fdea645eccdefd9984cc12e689f
Related news
Gentoo Linux Security Advisory 202401-27 - Multiple vulnerabilities have been discovered in Ruby, the worst of which could lead to execution of arbitrary code. Multiple versions are affected.
Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the "chef-server-ctl reconfigure" command.
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...
Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.
A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13. Processing a maliciously crafted image may lead to arbitrary code execution.
Red Hat Security Advisory 2022-6855-01 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Issues addressed include buffer overflow, denial of service, double free, and spoofing vulnerabilities.
Red Hat Security Advisory 2022-6856-01 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Issues addressed include buffer overflow, denial of service, and spoofing vulnerabilities.
An update for rh-ruby27-ruby is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-41816: ruby: buffer overflow in CGI.escape_html * CVE-2021-41817: ruby: Regular expression denial of service vulnerability of Date parsing methods * CVE-2021-41819: ruby: Cookie prefix spoofing in CGI::Cookie.parse * CVE-2022-28739: Ruby: Buffer overrun in String-to-Float conversion
Red Hat Security Advisory 2022-6585-01 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Issues addressed include a double free vulnerability.
Red Hat Security Advisory 2022-6585-01 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Issues addressed include a double free vulnerability.
An update for ruby is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-28738: Ruby: Double free in Regexp compilation * CVE-2022-28739: Ruby: Buffer overrun in String-to-Float conversion
An update for ruby is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-28738: Ruby: Double free in Regexp compilation * CVE-2022-28739: Ruby: Buffer overrun in String-to-Float conversion
Red Hat Security Advisory 2022-6447-01 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Issues addressed include denial of service and spoofing vulnerabilities.
Red Hat Security Advisory 2022-6447-01 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Issues addressed include denial of service and spoofing vulnerabilities.
Red Hat Security Advisory 2022-6447-01 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Issues addressed include denial of service and spoofing vulnerabilities.
Red Hat Security Advisory 2022-6450-01 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Issues addressed include denial of service, double free, and spoofing vulnerabilities.
Red Hat Security Advisory 2022-6450-01 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Issues addressed include denial of service, double free, and spoofing vulnerabilities.
Red Hat Security Advisory 2022-6450-01 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Issues addressed include denial of service, double free, and spoofing vulnerabilities.
Red Hat Security Advisory 2022-6450-01 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Issues addressed include denial of service, double free, and spoofing vulnerabilities.
An update for the ruby:3.0 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-41817: ruby: Regular expression denial of service vulnerability of Date parsing methods * CVE-2021-41819: ruby: Cookie prefix spoofing in CGI::Cookie.parse * CVE-2022-28738: Ruby: Double free in Regexp compilation * CVE-2022-28739: Ruby: Buffer overrun in String-to-Float conversion
An update for the ruby:3.0 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-41817: ruby: Regular expression denial of service vulnerability of Date parsing methods * CVE-2021-41819: ruby: Cookie prefix spoofing in CGI::Cookie.parse * CVE-2022-28738: Ruby: Double free in Regexp compilation * CVE-2022-28739: Ruby: Buffer overrun in String-to-Float conversion
An update for the ruby:3.0 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-41817: ruby: Regular expression denial of service vulnerability of Date parsing methods * CVE-2021-41819: ruby: Cookie prefix spoofing in CGI::Cookie.parse * CVE-2022-28738: Ruby: Double free in Regexp compilation * CVE-2022-28739: Ruby: Buffer overrun in String-to-Float conversion
An update for the ruby:3.0 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-41817: ruby: Regular expression denial of service vulnerability of Date parsing methods * CVE-2021-41819: ruby: Cookie prefix spoofing in CGI::Cookie.parse * CVE-2022-28738: Ruby: Double free in Regexp compilation * CVE-2022-28739: Ruby: Buffer overrun in String-to-Float conversion
An update for the ruby:2.7 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-41817: ruby: Regular expression denial of service vulnerability of Date parsing methods * CVE-2021-41819: ruby: Cookie prefix spoofing in CGI::Cookie.parse * CVE-2022-28739: Ruby: Buffer overrun in String-to-Float conversion
An update for the ruby:2.7 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-41817: ruby: Regular expression denial of service vulnerability of Date parsing methods * CVE-2021-41819: ruby: Cookie prefix spoofing in CGI::Cookie.parse * CVE-2022-28739: Ruby: Buffer overrun in String-to-Float conversion
An update for the ruby:2.7 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-41817: ruby: Regular expression denial of service vulnerability of Date parsing methods * CVE-2021-41819: ruby: Cookie prefix spoofing in CGI::Cookie.parse * CVE-2022-28739: Ruby: Buffer overrun in String-to-Float conversion
An update for the ruby:2.5 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-41817: ruby: Regular expression denial of service vulnerability of Date parsing methods * CVE-2021-41819: ruby: Cookie prefix spoofing in CGI::Cookie.parse
An update for the ruby:2.5 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-41817: ruby: Regular expression denial of service vulnerability of Date parsing methods * CVE-2021-41819: ruby: Cookie prefix spoofing in CGI::Cookie.parse
Pexip Infinity before 28.1 allows remote attackers to trigger a software abort via G.719.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.
Pexip Infinity 27.x before 27.3 has Improper Input Validation. The client API allows remote attackers to trigger a software abort via a gateway call into Teams.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via HTTP.
Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via HTTP.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.
Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via HTTP.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.
Pexip Infinity 27.x before 27.3 has Improper Input Validation. The client API allows remote attackers to trigger a software abort via a gateway call into Teams.
Pexip Infinity before 27.3 allows remote attackers to force a software abort via HTTP.
Ubuntu Security Notice 5462-2 - USN-5462-1 fixed several vulnerabilities in Ruby. This update provides the corresponding CVE-2022-28739 update for ruby2.3 on Ubuntu 16.04 ESM. It was discovered that Ruby incorrectly handled certain inputs. An attacker could possibly use this issue to expose sensitive information.
Ubuntu Security Notice 5462-1 - It was discovered that Ruby incorrectly handled certain regular expressions. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. It was discovered that Ruby incorrectly handled certain inputs. An attacker could possibly use this issue to expose sensitive information.
Ubuntu Security Notice 5462-1 - It was discovered that Ruby incorrectly handled certain regular expressions. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. It was discovered that Ruby incorrectly handled certain inputs. An attacker could possibly use this issue to expose sensitive information.
There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including Kernel#Float and String#to_f.
A double free was found in the Regexp compiler in Ruby 3.x before 3.0.4 and 3.1.x before 3.1.2. If a victim attempts to create a Regexp from untrusted user input, an attacker may be able to write to unexpected memory locations.
There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including Kernel#Float and String#to_f.
A double free was found in the Regexp compiler in Ruby 3.x before 3.0.4 and 3.1.x before 3.1.2. If a victim attempts to create a Regexp from untrusted user input, an attacker may be able to write to unexpected memory locations.
CGI.escape_html in Ruby before 2.7.5 and 3.x before 3.0.3 has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. This also affects the CGI gem before 0.3.1 for Ruby.