[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 4163-1] rubygems security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4163-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Lucas Kanashiro
May 12, 2025                                  https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : rubygems
Version        : 3.2.5-2+deb11u1
CVE ID         : CVE-2021-43809 CVE-2023-28755 CVE-2025-27221

Multiple vulnerabilities were found in rubygems, which contains a package
management framework for Ruby and a dependency manager for Ruby applications.

CVE-2021-43809

    In bundler versions before 2.2.33, when working with untrusted and
    apparently harmless `Gemfile`'s, it is not expected that they lead to
    execution of external code, unless that's explicit in the ruby code inside
    the `Gemfile` itself. However, if the `Gemfile` includes `gem` entries that
    use the `git` option with invalid, but seemingly harmless, values with a
    leading dash, this can be false. To handle dependencies that come from a
    Git repository instead of a registry, Bundler uses various commands, such
    as `git clone`.  These commands are being constructed using user input
    (e.g.  the repository URL). When building the commands, Bundler versions
    before 2.2.33 correctly avoid Command Injection vulnerabilities by passing
    an array of arguments instead of a command string.  However, there is the
    possibility that a user input starts with a dash (`-`) and is therefore
    treated as an optional argument instead of a positional one.  This can lead
    to Code Execution because some of the commands have options that can be
    leveraged to run arbitrary executables.

CVE-2023-28755

    A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby
    through 3.2.1. The URI parser mishandles invalid URLs that have specific
    characters. It causes an increase in execution time for parsing strings to
    URI objects.

CVE-2025-27221

    The URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent
    leakage of authentication credentials because userinfo is retained even
    after changing the host.

For Debian 11 bullseye, these problems have been fixed in version
3.2.5-2+deb11u1.

We recommend that you upgrade your rubygems packages.

For the detailed security status of rubygems please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/rubygems

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEjtbD+LrJ23/BMKhw+COicpiDyXwFAmgiZIMACgkQ+COicpiD
yXx88A/8C1036gSEjmQnDlgsGgJqXfdmu5cn5eNpXhlSA8RUS7pGxFt++0il55FD
LzRRzWKmcuLTaDu4ayz/CoSkqCWzWvlgsWc0ltjLGi98vRC/mY2in7hHj40e39sd
FCH5dDPItTrhumrn/Q2nPpiwhcGNitrVUbkW74Hi4TA9uilVwLNmBCjVv37Z/ocF
XSOm0bDPpUqG7HHg2/sqfDeb4BcAhHHkOZSBp5LLOAwWZIcvqx2qikW5PX+5L/f8
0G7UBb5V0ntpi1m7/Iucm0lm8QdTwUhfzYz4NLUpQxdRQy4hGhWO/YaUH4rYrwse
y9A7j4wuXQ5XARAXwvW1fsLezIV3lTp+S4AElKZDmMTHAoeMJQkkcFH5EQ8OJKx4
XFzdAy6PMuq7bsPmbvqDoWD9wR1i2aJjF8FAYhwnmTDzfm8TU9sMM8jpR1hs8sc2
G7XflD3lB5YW72UTijKd1lmFkA9ePyMggTV/vG8EEroMvqE2tUfJXWCgU79RT6tv
aYQ0pD47TMVSB1TX2VZA8GlgXyHrDLsZHwfQLamKcwqeGIkUKtFFoDZGKttALfB6
9A/vN2WgBdZbVkAw2mixjtAp37SBH2TFvlP5LJTwR76SZhrCuYTFLNnWZejmbvD9
ELBe/KqdWSOsP/jWcwklnJC2hZndLbkWGgOwAYmNanrFqg2OCBM=
=begD
-----END PGP SIGNATURE-----
Reply to: