]> code.ossystems Code Review - openembedded-core.git/commit
Code Review / openembedded-core.git / commit
? search:
summary | shortlog | log | commit | commitdiff | review | tree
(parent: 567dd35) | patch
ruby: Security fixes for CVE-2021-31810/CVE-2021-32066
authorYi Zhao <yi.zhao@windriver.com>
Tue, 14 Sep 2021 08:57:17 +0000 (16:57 +0800)
committerAnuj Mittal <anuj.mittal@intel.com>
Wed, 15 Sep 2021 02:04:54 +0000 (10:04 +0800)
commite14761916290c01683d72eb8e3de530f944fdfab
treeb173b864391e354271479c9a7fb2aab31566952ftree | snapshot
parent567dd35d893c5d8969d41f263a24da8fbae3fc2fcommit | diff
ruby: Security fixes for CVE-2021-31810/CVE-2021-32066

CVE-2021-31810:
A malicious FTP server can use the PASV response to trick Net::FTP into
connecting back to a given IP address and port. This potentially makes
Net::FTP extract information about services that are otherwise private
and not disclosed (e.g., the attacker can conduct port scans and service
banner extractions).

CVE-2021-32066:
Net::IMAP does not raise an exception when StartTLS fails with an
unknown response, which might allow man-in-the-middle attackers to
bypass the TLS protections by leveraging a network position between the
client and the registry to block the StartTLS command, aka a “StartTLS
stripping attack.”

References:
https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/
https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/

Patches from:
https://github.com/ruby/ruby/commit/bf4d05173c7cf04d8892e4b64508ecf7902717cd
https://github.com/ruby/ruby/commit/e2ac25d0eb66de99f098d6669cf4f06796aa6256

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
meta/recipes-devtools/ruby/ruby/CVE-2021-31810.patch [new file with mode: 0644] blob
meta/recipes-devtools/ruby/ruby/CVE-2021-32066.patch [new file with mode: 0644] blob
meta/recipes-devtools/ruby/ruby_3.0.1.bb diff | blob | history
Mirror of the official openembedded-core repository