#ruby

Red Hat Security Advisory 2022-5002-01 - The Advanced Virtualization module provides the user-space component for running virtual machines that use KVM in environments managed by Red Hat products. Issues addressed include buffer overflow, integer overflow, and memory leak vulnerabilities.

Move intended to help prevent Ruby packages from being used in supply chain attacks

Octokit is a Ruby toolkit for the GitHub API. Versions 4.23.0 and 4.24.0 of the octokit gem were published containing world-writeable files. Specifically, the gem was packed with files having their permissions set to `-rw-rw-rw-` (i.e. 0666) instead of `rw-r--r--` (i.e. 0644). This means everyone who is not the owner (Group and Public) with access to the instance where this release had been installed could modify the world-writable files from this gem. This issue is patched in Octokit 4.25.0. Two workarounds are available. Users can use the previous version of the gem, v4.22.0. Alternatively, users can modify the file permissions manually until they are able to upgrade to the latest version.

### Impact Versions [4.23.0](https://rubygems.org/gems/octokit/versions/4.23.0) and [4.24.0](https://rubygems.org/gems/octokit/versions/4.24.0) of the octokit gem were published containing world-writeable files. Specifically, the gem was packed with files having their permissions set to `-rw-rw-rw-` (i.e. 0666) instead of `rw-r--r--` (i.e. 0644). This means everyone who is not the owner (Group and Public) with access to the instance where this release had been installed could modify the world-writable files from this gem. Malicious code already present and running on your machine, separate from this package, could modify the gem’s files and change its behavior during runtime. ### Patches * [octokit 4.25.0](https://rubygems.org/gems/octokit/versions/4.25.0) ### Workarounds Users can use the previous version of the gem [v4.22.0](https://rubygems.org/gems/octokit/versions/4.22.0). Alternatively, users can modify the file permissions manually until they are able to upgrade to the la...

### Impact Version [0.2.0](https://rubygems.org/gems/octopoller/versions/0.2.0) of the octopoller gem was published containing world-writeable files. Specifically, the gem was packed with files having their permissions set to `-rw-rw-rw-` (i.e. 0666) instead of `rw-r--r--` (i.e. 0644). This means everyone who is not the owner (Group and Public) with access to the instance where this release had been installed could modify the world-writable files from this gem. Malicious code already present and running on your machine, separate from this package, could modify the gem’s files and change its behavior during runtime. ### Patches * octopoller 0.3.0 ### Workarounds Users can use the previous version of the gem [v0.1.0](https://rubygems.org/gems/octopoller/versions/0.1.0). Alternatively, users can modify the file permissions manually until they are able to upgrade to the latest version.

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in ProjectGeneral/edit_project_settings.php in REDCap 12.0.11. This issue allows any user with project management permissions to inject arbitrary code into the project title (app_title) field when editing an existing project. The payload is then reflected within the title tag of the page.

An update for the virt:av and virt-devel:av modules is now available for Red Hat Enterprise Linux Advanced Virtualization 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4206: QEMU: QXL: integer overflow in cursor_alloc() can lead to heap buffer overflow * CVE-2021-4207: QEMU: QXL: double fetch in qxl_cursor() can lead to heap buffer overflow * CVE-2022-26353: QEMU: virtio-net: map leaking on error during receive * CVE-2022-26354: QEMU: vhos...

**Summary** Mechanize (rubygem) `< v2.8.5` leaks the `Authorization` header after a redirect to a different port on the same site. **Mitigation** Upgrade to Mechanize v2.8.5 or later. **Notes** See [https://curl.se/docs/CVE-2022-27776.html](CVE-2022-27776) for a similar vulnerability in curl. Cookies are shared with a server at a different port on the same site, per https://datatracker.ietf.org/doc/html/rfc6265#section-8.5 which states in part: > Cookies do not provide isolation by port. If a cookie is readable > by a service running on one port, the cookie is also readable by a > service running on another port of the same server. If a cookie is > writable by a service on one port, the cookie is also writable by a > service running on another port of the same server. For this > reason, servers SHOULD NOT both run mutually distrusting services on > different ports of the same host and use cookies to store security- > sensitive information.

The Mechanize library is used for automating interaction with websites. Mechanize automatically stores and sends cookies, follows redirects, and can follow links and submit forms. In versions prior to 2.8.5 the Authorization header is leaked after a redirect to a different port on the same site. Users are advised to upgrade to Mechanize v2.8.5 or later. There are no known workarounds for this issue.

Ubuntu Security Notice 5462-2 - USN-5462-1 fixed several vulnerabilities in Ruby. This update provides the corresponding CVE-2022-28739 update for ruby2.3 on Ubuntu 16.04 ESM. It was discovered that Ruby incorrectly handled certain inputs. An attacker could possibly use this issue to expose sensitive information.