Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
Related vulnerabilities
SUSE-SU-2022:15034-1
Vulnerability from csaf_suse - Published: 2022-09-06 11:58 - Updated: 2022-09-06 11:58Summary
Security update for ruby
Severity
Important
Notes
Title of the patch: Security update for ruby
Description of the patch: This update for ruby fixes the following issues:
- CVE-2018-16395: Fixed an issue where two x509 certificates could be
considered to be equal when this was not the case (bsc#1112530).
- CVE-2021-32066: Fixed an issue where the IMAP client API would not
report a failure when StartTLS failed, leading to potential man in
the middle attacks (bsc#1188160).
- CVE-2021-31810: Fixed an issue where the FTP client API would trust
certain responses from a malicious server, tricking the client into
connecting to addresses not (bsc#1188161).
Patchnames: slewyst13-ruby-15034
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.8 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
7.5 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
7.4 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for ruby",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for ruby fixes the following issues:\n\n- CVE-2018-16395: Fixed an issue where two x509 certificates could be\n considered to be equal when this was not the case (bsc#1112530).\n- CVE-2021-32066: Fixed an issue where the IMAP client API would not\n report a failure when StartTLS failed, leading to potential man in\n the middle attacks (bsc#1188160).\n- CVE-2021-31810: Fixed an issue where the FTP client API would trust\n certain responses from a malicious server, tricking the client into\n connecting to addresses not (bsc#1188161).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "slewyst13-ruby-15034",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2022_15034-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2022:15034-1",
"url": "https://www.suse.com/support/update/announcement/2022/suse-su-202215034-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2022:15034-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2022-September/012115.html"
},
{
"category": "self",
"summary": "SUSE Bug 1112530",
"url": "https://bugzilla.suse.com/1112530"
},
{
"category": "self",
"summary": "SUSE Bug 1188160",
"url": "https://bugzilla.suse.com/1188160"
},
{
"category": "self",
"summary": "SUSE Bug 1188161",
"url": "https://bugzilla.suse.com/1188161"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16395 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16395/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-31810 page",
"url": "https://www.suse.com/security/cve/CVE-2021-31810/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-32066 page",
"url": "https://www.suse.com/security/cve/CVE-2021-32066/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-81810 page",
"url": "https://www.suse.com/security/cve/CVE-2021-81810/"
}
],
"title": "Security update for ruby",
"tracking": {
"current_release_date": "2022-09-06T11:58:31Z",
"generator": {
"date": "2022-09-06T11:58:31Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2022:15034-1",
"initial_release_date": "2022-09-06T11:58:31Z",
"revision_history": [
{
"date": "2022-09-06T11:58:31Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby-devel-1.8.7.p357-0.9.20.3.1.i586",
"product": {
"name": "ruby-devel-1.8.7.p357-0.9.20.3.1.i586",
"product_id": "ruby-devel-1.8.7.p357-0.9.20.3.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby-devel-1.8.7.p357-0.9.20.3.1.ia64",
"product": {
"name": "ruby-devel-1.8.7.p357-0.9.20.3.1.ia64",
"product_id": "ruby-devel-1.8.7.p357-0.9.20.3.1.ia64"
}
}
],
"category": "architecture",
"name": "ia64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64",
"product": {
"name": "ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64",
"product_id": "ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64"
}
}
],
"category": "architecture",
"name": "ppc64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby-devel-1.8.7.p357-0.9.20.3.1.s390x",
"product": {
"name": "ruby-devel-1.8.7.p357-0.9.20.3.1.s390x",
"product_id": "ruby-devel-1.8.7.p357-0.9.20.3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64",
"product": {
"name": "ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64",
"product_id": "ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE WebYast 1.3",
"product": {
"name": "SUSE WebYast 1.3",
"product_id": "SUSE WebYast 1.3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:webyast:1.3"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby-devel-1.8.7.p357-0.9.20.3.1.i586 as component of SUSE WebYast 1.3",
"product_id": "SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.i586"
},
"product_reference": "ruby-devel-1.8.7.p357-0.9.20.3.1.i586",
"relates_to_product_reference": "SUSE WebYast 1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby-devel-1.8.7.p357-0.9.20.3.1.ia64 as component of SUSE WebYast 1.3",
"product_id": "SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ia64"
},
"product_reference": "ruby-devel-1.8.7.p357-0.9.20.3.1.ia64",
"relates_to_product_reference": "SUSE WebYast 1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64 as component of SUSE WebYast 1.3",
"product_id": "SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64"
},
"product_reference": "ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64",
"relates_to_product_reference": "SUSE WebYast 1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby-devel-1.8.7.p357-0.9.20.3.1.s390x as component of SUSE WebYast 1.3",
"product_id": "SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.s390x"
},
"product_reference": "ruby-devel-1.8.7.p357-0.9.20.3.1.s390x",
"relates_to_product_reference": "SUSE WebYast 1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64 as component of SUSE WebYast 1.3",
"product_id": "SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64"
},
"product_reference": "ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64",
"relates_to_product_reference": "SUSE WebYast 1.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-16395",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16395"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.i586",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ia64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.s390x",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16395",
"url": "https://www.suse.com/security/cve/CVE-2018-16395"
},
{
"category": "external",
"summary": "SUSE Bug 1112530 for CVE-2018-16395",
"url": "https://bugzilla.suse.com/1112530"
},
{
"category": "external",
"summary": "SUSE Bug 1136906 for CVE-2018-16395",
"url": "https://bugzilla.suse.com/1136906"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.i586",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ia64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.s390x",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.i586",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ia64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.s390x",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-09-06T11:58:31Z",
"details": "moderate"
}
],
"title": "CVE-2018-16395"
},
{
"cve": "CVE-2021-31810",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-31810"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.i586",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ia64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.s390x",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-31810",
"url": "https://www.suse.com/security/cve/CVE-2021-31810"
},
{
"category": "external",
"summary": "SUSE Bug 1188161 for CVE-2021-31810",
"url": "https://bugzilla.suse.com/1188161"
},
{
"category": "external",
"summary": "SUSE Bug 1193383 for CVE-2021-31810",
"url": "https://bugzilla.suse.com/1193383"
},
{
"category": "external",
"summary": "SUSE Bug 1205053 for CVE-2021-31810",
"url": "https://bugzilla.suse.com/1205053"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.i586",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ia64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.s390x",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.i586",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ia64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.s390x",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-09-06T11:58:31Z",
"details": "important"
}
],
"title": "CVE-2021-31810"
},
{
"cve": "CVE-2021-32066",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-32066"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.i586",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ia64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.s390x",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-32066",
"url": "https://www.suse.com/security/cve/CVE-2021-32066"
},
{
"category": "external",
"summary": "SUSE Bug 1188160 for CVE-2021-32066",
"url": "https://bugzilla.suse.com/1188160"
},
{
"category": "external",
"summary": "SUSE Bug 1196771 for CVE-2021-32066",
"url": "https://bugzilla.suse.com/1196771"
},
{
"category": "external",
"summary": "SUSE Bug 1205053 for CVE-2021-32066",
"url": "https://bugzilla.suse.com/1205053"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.i586",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ia64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.s390x",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.i586",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ia64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.s390x",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-09-06T11:58:31Z",
"details": "important"
}
],
"title": "CVE-2021-32066"
},
{
"cve": "CVE-2021-81810",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-81810"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.i586",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ia64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.s390x",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-81810",
"url": "https://www.suse.com/security/cve/CVE-2021-81810"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.i586",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ia64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.ppc64",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.s390x",
"SUSE WebYast 1.3:ruby-devel-1.8.7.p357-0.9.20.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-09-06T11:58:31Z",
"details": "important"
}
],
"title": "CVE-2021-81810"
}
]
}
GSD-2021-81810
Vulnerability from gsdAliases
{
"GSD": {
"alias": "CVE-2021-81810",
"id": "GSD-2021-81810",
"references": [
"https://www.suse.com/security/cve/CVE-2021-81810.html"
]
}
}