==================================================================== CERT-Renater Note d'Information No. 2021/VULN207 _____________________________________________________________________ DATE : 09/04/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Ruby versions prior to 3.0.1, 2.7.3, 2.6.7, 2.5.9. ===================================================================== https://www.ruby-lang.org/en/news/2021/04/05/tempfile-path-traversal-on-windows-cve-2021-28966/ https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/ https://www.ruby-lang.org/en/news/2021/04/05/ruby-3-0-1-released/ https://www.ruby-lang.org/en/news/2021/04/05/ruby-2-7-3-released/ https://www.ruby-lang.org/en/news/2021/04/05/ruby-2-6-7-released/ https://www.ruby-lang.org/en/news/2021/04/05/ruby-2-5-9-released/ _____________________________________________________________________ CVE-2021-28966: Path traversal in Tempfile on Windows Posted by mame on 5 Apr 2021 There is an unintentional directory creation vulnerability in tmpdir library bundled with Ruby on Windows. And there is also an unintentional file creation vulnerability in tempfile library bundled with Ruby on Windows, because it uses tmpdir internally. This vulnerability has been assigned the CVE identifier CVE-2021-28966. Details Dir.mktmpdir method introduced by tmpdir library accepts the prefix and the suffix of the directory which is created as the first parameter. The prefix can contain relative directory specifiers "..\\", so this method can be used to target any directory. So, if a script accepts an external input as the prefix, and the targeted directory has inappropriate permissions or the ruby process has inappropriate privileges, the attacker can create a directory or a file at any directory. This is the same issue as CVE-2018-6914, but the previous fix was incomplete on Windows. All users running an affected release should upgrade immediately. Affected versions Ruby 2.7.2 or prior Ruby 3.0.0 Credits Thanks to Bugdiscloseguys for discovering this issue. History Originally published at 2021-04-05 12:00:00 (UTC) _____________________________________________________________________ CVE-2021-28965: XML round-trip vulnerability in REXML Posted by mame on 5 Apr 2021 There is an XML round-trip vulnerability in REXML gem bundled with Ruby. This vulnerability has been assigned the CVE identifier CVE-2021-28965. We strongly recommend upgrading the REXML gem. Details When parsing and serializing a crafted XML document, REXML gem (including the one bundled with Ruby) can create a wrong XML document whose structure is different from the original one. The impact of this issue highly depends on context, but it may lead to a vulnerability in some programs that are using REXML. Please update REXML gem to version 3.2.5 or later. If you are using Ruby 2.6 or later: Please use Ruby 2.6.7, 2.7.3, or 3.0.1. Alternatively, you can use gem update rexml to update it. If you are using bundler, please add gem "rexml", ">= 3.2.5" to your Gemfile. If you are using Ruby 2.5.8 or prior: Please use Ruby 2.5.9. You cannot use gem update rexml for Ruby 2.5.8 or prior. Note that Ruby 2.5 series is now EOL, so please consider upgrading Ruby to 2.6.7 or later as soon as possible. Affected versions Ruby 2.5.8 or prior (You can NOT use gem upgrade rexml for this version.) Ruby 2.6.7 or prior Ruby 2.7.2 or prior Ruby 3.0.1 or prior REXML gem 3.2.4 or prior Credits Thanks to Juho Nurminen for discovering this issue. History Originally published at 2021-04-05 12:00:00 (UTC) _____________________________________________________________________ Ruby 3.0.1 Released Posted by naruse on 5 Apr 2021 Ruby 3.0.1 has been released. This release includes security fixes. Please check the topics below for details. CVE-2021-28965: XML round-trip vulnerability in REXML CVE-2021-28966: Path traversal in Tempfile on Windows See the commit logs for details. Download https://cache.ruby-lang.org/pub/ruby/3.0/ruby-3.0.1.tar.gz SIZE: 19664598 SHA1: 60c72f3e501a3be9616385cad3e48bc89d6150a1 SHA256: 369825db2199f6aeef16b408df6a04ebaddb664fb9af0ec8c686b0ce7ab77727 SHA512: cb81db2c9b698cf8159b2ca6507f4c7f171e4eb387f5730c4b658ed632b7900a169808e6fbec0ee80598d937030ad5d9c56b63a2a339373ec5d9e1c06b7661d0 https://cache.ruby-lang.org/pub/ruby/3.0/ruby-3.0.1.tar.xz SIZE: 14486780 SHA1: 3c5443960fe860ff7055bc02a4793140b9fb9b28 SHA256: d06bccd382d03724b69f674bc46cd6957ba08ed07522694ce44b9e8ffc9c48e2 SHA512: 97d2e883656060846b304368d9d836e2f3ef39859c36171c9398a0573818e4ed75bfd7460f901a9553f7f53518c505327a66e74f83704a881469f5ac61fe13d7 https://cache.ruby-lang.org/pub/ruby/3.0/ruby-3.0.1.zip SIZE: 24014727 SHA1: 311164da8f68abb58f8590356bf492fc2ab80192 SHA256: c8703c33904c79613a41a750cc62d210c3c57fec0728476d66b0a9031a499d68 SHA512: 395cdbd7fd42f0d2b42208c390db7ac2ed8d3e247d9b7fdaa43347a815b108a3680cbebf2ab8f05ec468ff02c832e2f3c1399e616f0f3e3016f6a6e894811b01 Release Comment Many committers, developers, and users who provided bug reports helped us make this release. Thanks for their contributions. _____________________________________________________________________ Ruby 2.7.3 Released Posted by nagachika on 5 Apr 2021 Ruby 2.7.3 has been released. This release includes security fixes. Please check the topics below for details. CVE-2021-28965: XML round-trip vulnerability in REXML CVE-2021-28966: Path traversal in Tempfile on Windows See the commit logs for details. Download https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.3.tar.bz2 SIZE: 14792727 SHA1: 4f4a47465b48a91d43fb557b70e47d79f6727a29 SHA256: 3e90e5a41d4df90e19c307ab0fb41789992c0b0128e6bbaa669b89ed44a0b68b SHA512: e9236138be3e61380140f2e0d42f8fb82ad8f5219d454de2f6c2ec546bb208acc8b0f2020f23e6446660d2b3b9ae873cdd8298471f166a5f1efba8e80b05e746 https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.3.tar.gz SIZE: 16912725 SHA1: 1fef38fbb31134e6e14df63ee6ce673e118d64ce SHA256: 8925a95e31d8f2c81749025a52a544ea1d05dad18794e6828709268b92e55338 SHA512: 1d036d08016351e8f9e7506a6abaf490fe226cf2ff9c2f9df582b57bff22a960dbaf271a8a167ac09f864613b9b8b14191bb79f8a6900ad5ca24131ecf571d54 https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.3.tar.xz SIZE: 12073568 SHA1: ce3d5203d5ab734df01e602c05f68f25249dc3e0 SHA256: 5e91d1650857d43cd6852e05ac54683351e9c301811ee0bef43a67c4605e7db1 SHA512: b755d418b3bab2f9f6a8893afd13869269f17065643dde78b9e85ae3538a6d0617893db6e9c3908e00a40c7577a5c912a7c822d8f245cdcfb857be76dfb66c1e https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.3.zip SIZE: 20697429 SHA1: 384cd3a915ad666d7f6b51b2babbe08285433202 SHA256: 42b56a95e9016bee468af00db49456ee4720d3f9916dda726cdaf83597158376 SHA512: 527c8ba425b75f13b5837863735811d00b4af49132df13c65fe71a6e04a83d3780a5b2b54b43a95f5b33592f3d689da3f18cefbecef86bcdb0c5e5fc51c7b037 Release Comment Many committers, developers, and users who provided bug reports helped us make this release. Thanks for their contributions. _____________________________________________________________________ Ruby 2.6.7 Released Posted by usa on 5 Apr 2021 Ruby 2.6.7 has been released. This release includes security fixes. Please check the topics below for details. CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability in WEBrick CVE-2021-28965: XML round-trip vulnerability in REXML See the commit logs for details. By this release, we end the normal maintenance phase of Ruby 2.6, and Ruby 2.6 enters the security maintenance phase. This means that we will no longer backport any bug fixes to Ruby 2.6 except security fixes. The term of the security maintenance phase is scheduled for a year. Ruby 2.6 reaches EOL and its official support ends by the end of the security maintenance phase. Therefore, we recommend that you start to plan upgrade to Ruby 2.7 or 3.0. Download https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.7.tar.bz2 SIZE: 14136831 SHA1: 826bcbe83fde9c813a88e5d42155ea8fa6ffb017 SHA256: 775a5d47b73ce3ee5d600f993badd7b640a2caca138573326db6632858517710 SHA512: 311ec56d23d0de7a163f66c1ef4e5369b822f8409f8e1f3a25785c803f01c68dd13aa8ddcfb3a0fe6a97bf321950f8d6cd75b2babcb04158e791601914666f7a https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.7.tar.gz SIZE: 16198982 SHA1: c37ba0b0699540bbd46116c2f7440c9e7cd16553 SHA256: e4227e8b7f65485ecb73397a83e0d09dcd39f25efd411c782b69424e55c7a99e SHA512: 11689cb9a48d9a588c5526dc2581f11bcf56496ecf96a93d4bddc3e92327be29a9e7806fe19c1a774d5b9d681010936577738aae872d08950d472d04fa6c4dfa https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.7.tar.xz SIZE: 11591404 SHA1: 1fd1448125a00cd7b9994637b5e561506de6a6d3 SHA256: f43ead5626202d5432d2050eeab606e547f0554299cc1e5cf573d45670e59611 SHA512: ba6fc0a36af2a08cf1b008851e805f59ea1047724fc7b61d4bc674533b8f123cb12fa0969e9a3f57290477c0d75f974ca7e304836e4905bd96a737211df9bd21 https://cache.ruby-lang.org/pub/ruby/2.6/ruby-2.6.7.zip SIZE: 19866856 SHA1: 762f76f2d09339862f0de18a6603cf7cbe804ec8 SHA256: 3facc52602ff1f1958b9e82a0c1837ce8b3f39c665d7ff01b9bc62f9b7a9d852 SHA512: 9c3a098a7a6133e46dbfa0208461b31a5e4eaa4a9cc3d3eed28e4d29bd2ca97bc1a90e3e433a3832e8bbd4a5bac03d0494a15e1b20237536bde2861d5e1e1cd1 Release Comment Many committers, developers, and users who provided bug reports helped us make this release. Thanks for their contributions. The maintenance of Ruby 2.6, including this release, is based on the “Agreement for the Ruby stable version” of the Ruby Association. _____________________________________________________________________ Ruby 2.5.9 Released Posted by usa on 5 Apr 2021 Ruby 2.5.9 has been released. This release includes security fixes. Please check the topics below for details. CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability in WEBrick CVE-2021-28965: XML round-trip vulnerability in REXML See the commit logs for details. After this release, Ruby 2.5 reaches EOL. In other words, this is the last release of Ruby 2.5 series. We will not release Ruby 2.5.10 even if a security vulnerability is found. We recommend all Ruby 2.5 users to upgrade to Ruby 3.0, 2.7 or 2.6 immediately. Download https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.9.tar.bz2 SIZE: 13805484 SHA1: 6ac21486996aa38a71f858d28d01ada5593d0b45 SHA256: bebbe3fe7899acd3ca2f213de38158709555e88a13f85ba5dc95239654bcfeeb SHA512: 12f58e14cfa6337065b0e82941e39b167813920eb54cbdb4ac4a680dd0cb75d2684d341059e7b4d0da1292bfc4e53041443bd14891a66f50991858b440a835c8 https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.9.tar.gz SIZE: 15687501 SHA1: 5408671f2ba4f3124ab99ea6edb6d62887d7e5a0 SHA256: f5894e05f532b748c3347894a5efa42066fd11cc8d261d4d9788ff71da00be68 SHA512: 5c9a6703b4c8d6e365856d7815e202f24659078d4c8e7a5059443453032b73b28e7ab2b8a6fa995c92c8e7f4838ffa6f9eec31593854e2fc3fc35532cb2db788 https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.9.tar.xz SIZE: 11314448 SHA1: 7be8dc2e6e534eb36bfdf9f017af512996ec99a6 SHA256: a87f2fa901408cc77652c1a55ff976695bbe54830ff240e370039eca14b358f0 SHA512: 239f73eb4049ae2654b648ab927b1f74643d38a5f29572e4bd4e6aa3c53c1df29e0a995fd90d4ab9d4b2ff073fd809b12df820ccb1ddf395684bba6be1855b7a https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.9.zip SIZE: 19064704 SHA1: 5f39cfb7a73c7321b65706617275c3c7452281a9 SHA256: 14db683c6ba6a863ef126718269758de537571b675231ec43f03b987739e3ce1 SHA512: c4a34678d280a99fde28cc33ba12d164be8a484f43b09495f9c22c48d2b963424c38470020c057cf346f8cc050ab4289a90a8d516b2a79245dea4e6de79cb75f Release Comment Thanks to everyone who helped with this release, especially, to reporters of the vulnerability. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================