Security update for ruby2.1

SUSE Security Update: Security update for ruby2.1

---

Announcement ID:	SUSE-SU-2020:1570-1
Rating:	important
References:	#1043983 #1048072 #1055265 #1056286 #1056782 #1058754 #1058755 #1058757 #1062452 #1069607 #1069632 #1073002 #1078782 #1082007 #1082008 #1082009 #1082010 #1082011 #1082014 #1082058 #1087433 #1087434 #1087436 #1087437 #1087440 #1087441 #1112530 #1112532 #1130611 #1130617 #1130620 #1130622 #1130623 #1130627 #1152990 #1152992 #1152994 #1152995 #1171517 #1172275
Cross-References:	CVE-2015-9096 CVE-2016-2339 CVE-2016-7798 CVE-2017-0898 CVE-2017-0899 CVE-2017-0900 CVE-2017-0901 CVE-2017-0902 CVE-2017-0903 CVE-2017-10784 CVE-2017-14033 CVE-2017-14064 CVE-2017-17405 CVE-2017-17742 CVE-2017-17790 CVE-2017-9228 CVE-2017-9229 CVE-2018-1000073 CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076 CVE-2018-1000077 CVE-2018-1000078 CVE-2018-1000079 CVE-2018-16395 CVE-2018-16396 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 CVE-2019-15845 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255 CVE-2019-8320 CVE-2019-8321 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325 CVE-2020-10663
Affected Products:	SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8

---

An update that fixes 42 vulnerabilities is now available.

Description:

This update for ruby2.1 fixes the following issues:
Security issues fixed:

• CVE-2015-9096: Fixed an SMTP command injection via CRLFsequences in a RCPT TO or MAIL FROM command (bsc#1043983).
• CVE-2016-7798: Fixed an IV Reuse in GCM Mode (bsc#1055265).
• CVE-2017-0898: Fixed a buffer underrun vulnerability in Kernel.sprintf (bsc#1058755).
• CVE-2017-0899: Fixed an issue with malicious gem specifications, insufficient sanitation when printing gem specifications could have included terminal characters (bsc#1056286).
• CVE-2017-0900: Fixed an issue with malicious gem specifications, the query command could have led to a denial of service attack against clients (bsc#1056286).
• CVE-2017-0901: Fixed an issue with malicious gem specifications, potentially overwriting arbitrary files on the client system (bsc#1056286).
• CVE-2017-0902: Fixed an issue with malicious gem specifications, that could have enabled MITM attacks against clients (bsc#1056286).
• CVE-2017-0903: Fixed an unsafe object deserialization vulnerability (bsc#1062452).
• CVE-2017-9228: Fixed a heap out-of-bounds write in bitset_set_range() during regex compilation (bsc#1069607).
• CVE-2017-9229: Fixed an invalid pointer dereference in left_adjust_char_head() in oniguruma (bsc#1069632).
• CVE-2017-10784: Fixed an escape sequence injection vulnerability in the Basic authentication of WEBrick (bsc#1058754).
• CVE-2017-14033: Fixed a buffer underrun vulnerability in OpenSSL ASN1 decode (bsc#1058757).
• CVE-2017-14064: Fixed an arbitrary memory exposure during a JSON.generate call (bsc#1056782).
• CVE-2017-17405: Fixed a command injection vulnerability in Net::FTP (bsc#1073002).
• CVE-2017-17742: Fixed an HTTP response splitting issue in WEBrick (bsc#1087434).
• CVE-2017-17790: Fixed a command injection in lib/resolv.rb:lazy_initialize() (bsc#1078782).
• CVE-2018-6914: Fixed an unintentional file and directory creation with directory traversal in tempfile and tmpdir (bsc#1087441).
• CVE-2018-8777: Fixed a potential DoS caused by large requests in WEBrick (bsc#1087436).
• CVE-2018-8778: Fixed a buffer under-read in String#unpack (bsc#1087433).
• CVE-2018-8779: Fixed an unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket (bsc#1087440).
• CVE-2018-8780: Fixed an unintentional directory traversal by poisoned NUL byte in Dir (bsc#1087437).
• CVE-2018-16395: Fixed an issue with OpenSSL::X509::Name equality checking (bsc#1112530).
• CVE-2018-16396: Fixed an issue with tainted string handling, where the flag was not propagated in Array#pack and String#unpack with some directives (bsc#1112532).
• CVE-2018-1000073: Fixed a path traversal issue (bsc#1082007).
• CVE-2018-1000074: Fixed an unsafe object deserialization vulnerability in gem owner, allowing arbitrary code execution with specially crafted YAML (bsc#1082008).
• CVE-2018-1000075: Fixed an infinite loop vulnerability due to negative size in tar header causes Denial of Service (bsc#1082014).
• CVE-2018-1000076: Fixed an improper verification of signatures in tarballs (bsc#1082009).
• CVE-2018-1000077: Fixed an improper URL validation in the homepage attribute of ruby gems (bsc#1082010).
• CVE-2018-1000078: Fixed a XSS vulnerability in the homepage attribute when displayed via gem server (bsc#1082011).
• CVE-2018-1000079: Fixed a path traversal issue during gem installation allows to write to arbitrary filesystem locations (bsc#1082058).
• CVE-2019-8320: Fixed a directory traversal issue when decompressing tar files (bsc#1130627).
• CVE-2019-8321: Fixed an escape sequence injection vulnerability in verbose (bsc#1130623).
• CVE-2019-8322: Fixed an escape sequence injection vulnerability in gem owner (bsc#1130622).
• CVE-2019-8323: Fixed an escape sequence injection vulnerability in API response handling (bsc#1130620).
• CVE-2019-8324: Fixed an issue with malicious gems that may have led to arbitrary code execution (bsc#1130617).
• CVE-2019-8325: Fixed an escape sequence injection vulnerability in errors (bsc#1130611).
• CVE-2019-15845: Fixed a NUL injection vulnerability in File.fnmatch and File.fnmatch? (bsc#1152994).
• CVE-2019-16201: Fixed a regular expression denial of service vulnerability in WEBrick's digest access authentication (bsc#1152995).
• CVE-2019-16254: Fixed an HTTP response splitting vulnerability in WEBrick (bsc#1152992).
• CVE-2019-16255: Fixed a code injection vulnerability in Shell#[] and Shell#test (bsc#1152990).
• CVE-2020-10663: Fixed an unsafe object creation vulnerability in JSON (bsc#1171517).

Non-security issue fixed:

• Add conflicts to libruby to make sure ruby and ruby-stdlib are also updated when libruby is updated (bsc#1048072).

Also yast2-ruby-bindings on SLES 12 SP2 LTSS was updated to handle the updated ruby interpreter. (bsc#1172275)

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE OpenStack Cloud Crowbar 8:
  zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1570=1
• SUSE OpenStack Cloud 8:
  zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1570=1
• SUSE OpenStack Cloud 7:
  zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1570=1
• SUSE Linux Enterprise Software Development Kit 12-SP5:
  zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1570=1
• SUSE Linux Enterprise Software Development Kit 12-SP4:
  zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1570=1
• SUSE Linux Enterprise Server for SAP 12-SP3:
  zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1570=1
• SUSE Linux Enterprise Server for SAP 12-SP2:
  zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1570=1
• SUSE Linux Enterprise Server 12-SP5:
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1570=1
• SUSE Linux Enterprise Server 12-SP4:
  zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1570=1
• SUSE Linux Enterprise Server 12-SP3-LTSS:
  zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1570=1
• SUSE Linux Enterprise Server 12-SP3-BCL:
  zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1570=1
• SUSE Linux Enterprise Server 12-SP2-LTSS:
  zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1570=1
• SUSE Linux Enterprise Server 12-SP2-BCL:
  zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1570=1
• SUSE Enterprise Storage 5:
  zypper in -t patch SUSE-Storage-5-2020-1570=1
• HPE Helion Openstack 8:
  zypper in -t patch HPE-Helion-OpenStack-8-2020-1570=1

Package List:

• SUSE OpenStack Cloud Crowbar 8 (x86_64):
  • libruby2_1-2_1-2.1.9-19.3.2
  • libruby2_1-2_1-debuginfo-2.1.9-19.3.2
  • ruby2.1-2.1.9-19.3.2
  • ruby2.1-debuginfo-2.1.9-19.3.2
  • ruby2.1-debugsource-2.1.9-19.3.2
  • ruby2.1-stdlib-2.1.9-19.3.2
  • ruby2.1-stdlib-debuginfo-2.1.9-19.3.2
• SUSE OpenStack Cloud 8 (x86_64):
  • libruby2_1-2_1-2.1.9-19.3.2
  • libruby2_1-2_1-debuginfo-2.1.9-19.3.2
  • ruby2.1-2.1.9-19.3.2
  • ruby2.1-debuginfo-2.1.9-19.3.2
  • ruby2.1-debugsource-2.1.9-19.3.2
  • ruby2.1-stdlib-2.1.9-19.3.2
  • ruby2.1-stdlib-debuginfo-2.1.9-19.3.2
• SUSE OpenStack Cloud 7 (s390x x86_64):
  • libruby2_1-2_1-2.1.9-19.3.2
  • libruby2_1-2_1-debuginfo-2.1.9-19.3.2
  • ruby2.1-2.1.9-19.3.2
  • ruby2.1-debuginfo-2.1.9-19.3.2
  • ruby2.1-debugsource-2.1.9-19.3.2
  • ruby2.1-stdlib-2.1.9-19.3.2
  • ruby2.1-stdlib-debuginfo-2.1.9-19.3.2
  • yast2-ruby-bindings-3.1.53-9.8.1
  • yast2-ruby-bindings-debuginfo-3.1.53-9.8.1
  • yast2-ruby-bindings-debugsource-3.1.53-9.8.1
• SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64):
  • ruby2.1-debuginfo-2.1.9-19.3.2
  • ruby2.1-debugsource-2.1.9-19.3.2
  • ruby2.1-devel-2.1.9-19.3.2
• SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64):
  • ruby2.1-debuginfo-2.1.9-19.3.2
  • ruby2.1-debugsource-2.1.9-19.3.2
  • ruby2.1-devel-2.1.9-19.3.2
• SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64):
  • libruby2_1-2_1-2.1.9-19.3.2
  • libruby2_1-2_1-debuginfo-2.1.9-19.3.2
  • ruby2.1-2.1.9-19.3.2
  • ruby2.1-debuginfo-2.1.9-19.3.2
  • ruby2.1-debugsource-2.1.9-19.3.2
  • ruby2.1-stdlib-2.1.9-19.3.2
  • ruby2.1-stdlib-debuginfo-2.1.9-19.3.2
• SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64):
  • libruby2_1-2_1-2.1.9-19.3.2
  • libruby2_1-2_1-debuginfo-2.1.9-19.3.2
  • ruby2.1-2.1.9-19.3.2
  • ruby2.1-debuginfo-2.1.9-19.3.2
  • ruby2.1-debugsource-2.1.9-19.3.2
  • ruby2.1-stdlib-2.1.9-19.3.2
  • ruby2.1-stdlib-debuginfo-2.1.9-19.3.2
  • yast2-ruby-bindings-3.1.53-9.8.1
  • yast2-ruby-bindings-debuginfo-3.1.53-9.8.1
  • yast2-ruby-bindings-debugsource-3.1.53-9.8.1
• SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64):
  • libruby2_1-2_1-2.1.9-19.3.2
  • libruby2_1-2_1-debuginfo-2.1.9-19.3.2
  • ruby2.1-2.1.9-19.3.2
  • ruby2.1-debuginfo-2.1.9-19.3.2
  • ruby2.1-debugsource-2.1.9-19.3.2
  • ruby2.1-stdlib-2.1.9-19.3.2
  • ruby2.1-stdlib-debuginfo-2.1.9-19.3.2
• SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64):
  • libruby2_1-2_1-2.1.9-19.3.2
  • libruby2_1-2_1-debuginfo-2.1.9-19.3.2
  • ruby2.1-2.1.9-19.3.2
  • ruby2.1-debuginfo-2.1.9-19.3.2
  • ruby2.1-debugsource-2.1.9-19.3.2
  • ruby2.1-stdlib-2.1.9-19.3.2
  • ruby2.1-stdlib-debuginfo-2.1.9-19.3.2
• SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64):
  • libruby2_1-2_1-2.1.9-19.3.2
  • libruby2_1-2_1-debuginfo-2.1.9-19.3.2
  • ruby2.1-2.1.9-19.3.2
  • ruby2.1-debuginfo-2.1.9-19.3.2
  • ruby2.1-debugsource-2.1.9-19.3.2
  • ruby2.1-stdlib-2.1.9-19.3.2
  • ruby2.1-stdlib-debuginfo-2.1.9-19.3.2
• SUSE Linux Enterprise Server 12-SP3-BCL (x86_64):
  • libruby2_1-2_1-2.1.9-19.3.2
  • libruby2_1-2_1-debuginfo-2.1.9-19.3.2
  • ruby2.1-2.1.9-19.3.2
  • ruby2.1-debuginfo-2.1.9-19.3.2
  • ruby2.1-debugsource-2.1.9-19.3.2
  • ruby2.1-stdlib-2.1.9-19.3.2
  • ruby2.1-stdlib-debuginfo-2.1.9-19.3.2
• SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64):
  • libruby2_1-2_1-2.1.9-19.3.2
  • libruby2_1-2_1-debuginfo-2.1.9-19.3.2
  • ruby2.1-2.1.9-19.3.2
  • ruby2.1-debuginfo-2.1.9-19.3.2
  • ruby2.1-debugsource-2.1.9-19.3.2
  • ruby2.1-stdlib-2.1.9-19.3.2
  • ruby2.1-stdlib-debuginfo-2.1.9-19.3.2
  • yast2-ruby-bindings-3.1.53-9.8.1
  • yast2-ruby-bindings-debuginfo-3.1.53-9.8.1
  • yast2-ruby-bindings-debugsource-3.1.53-9.8.1
• SUSE Linux Enterprise Server 12-SP2-BCL (x86_64):
  • libruby2_1-2_1-2.1.9-19.3.2
  • libruby2_1-2_1-debuginfo-2.1.9-19.3.2
  • ruby2.1-2.1.9-19.3.2
  • ruby2.1-debuginfo-2.1.9-19.3.2
  • ruby2.1-debugsource-2.1.9-19.3.2
  • ruby2.1-stdlib-2.1.9-19.3.2
  • ruby2.1-stdlib-debuginfo-2.1.9-19.3.2
  • yast2-ruby-bindings-3.1.53-9.8.1
  • yast2-ruby-bindings-debuginfo-3.1.53-9.8.1
  • yast2-ruby-bindings-debugsource-3.1.53-9.8.1
• SUSE Enterprise Storage 5 (aarch64 x86_64):
  • libruby2_1-2_1-2.1.9-19.3.2
  • libruby2_1-2_1-debuginfo-2.1.9-19.3.2
  • ruby2.1-2.1.9-19.3.2
  • ruby2.1-debuginfo-2.1.9-19.3.2
  • ruby2.1-debugsource-2.1.9-19.3.2
  • ruby2.1-stdlib-2.1.9-19.3.2
  • ruby2.1-stdlib-debuginfo-2.1.9-19.3.2
• HPE Helion Openstack 8 (x86_64):
  • libruby2_1-2_1-2.1.9-19.3.2
  • libruby2_1-2_1-debuginfo-2.1.9-19.3.2
  • ruby2.1-2.1.9-19.3.2
  • ruby2.1-debuginfo-2.1.9-19.3.2
  • ruby2.1-debugsource-2.1.9-19.3.2
  • ruby2.1-stdlib-2.1.9-19.3.2
  • ruby2.1-stdlib-debuginfo-2.1.9-19.3.2

References:

• https://www.suse.com/security/cve/CVE-2015-9096.html
• https://www.suse.com/security/cve/CVE-2016-2339.html
• https://www.suse.com/security/cve/CVE-2016-7798.html
• https://www.suse.com/security/cve/CVE-2017-0898.html
• https://www.suse.com/security/cve/CVE-2017-0899.html
• https://www.suse.com/security/cve/CVE-2017-0900.html
• https://www.suse.com/security/cve/CVE-2017-0901.html
• https://www.suse.com/security/cve/CVE-2017-0902.html
• https://www.suse.com/security/cve/CVE-2017-0903.html
• https://www.suse.com/security/cve/CVE-2017-10784.html
• https://www.suse.com/security/cve/CVE-2017-14033.html
• https://www.suse.com/security/cve/CVE-2017-14064.html
• https://www.suse.com/security/cve/CVE-2017-17405.html
• https://www.suse.com/security/cve/CVE-2017-17742.html
• https://www.suse.com/security/cve/CVE-2017-17790.html
• https://www.suse.com/security/cve/CVE-2017-9228.html
• https://www.suse.com/security/cve/CVE-2017-9229.html
• https://www.suse.com/security/cve/CVE-2018-1000073.html
• https://www.suse.com/security/cve/CVE-2018-1000074.html
• https://www.suse.com/security/cve/CVE-2018-1000075.html
• https://www.suse.com/security/cve/CVE-2018-1000076.html
• https://www.suse.com/security/cve/CVE-2018-1000077.html
• https://www.suse.com/security/cve/CVE-2018-1000078.html
• https://www.suse.com/security/cve/CVE-2018-1000079.html
• https://www.suse.com/security/cve/CVE-2018-16395.html
• https://www.suse.com/security/cve/CVE-2018-16396.html
• https://www.suse.com/security/cve/CVE-2018-6914.html
• https://www.suse.com/security/cve/CVE-2018-8777.html
• https://www.suse.com/security/cve/CVE-2018-8778.html
• https://www.suse.com/security/cve/CVE-2018-8779.html
• https://www.suse.com/security/cve/CVE-2018-8780.html
• https://www.suse.com/security/cve/CVE-2019-15845.html
• https://www.suse.com/security/cve/CVE-2019-16201.html
• https://www.suse.com/security/cve/CVE-2019-16254.html
• https://www.suse.com/security/cve/CVE-2019-16255.html
• https://www.suse.com/security/cve/CVE-2019-8320.html
• https://www.suse.com/security/cve/CVE-2019-8321.html
• https://www.suse.com/security/cve/CVE-2019-8322.html
• https://www.suse.com/security/cve/CVE-2019-8323.html
• https://www.suse.com/security/cve/CVE-2019-8324.html
• https://www.suse.com/security/cve/CVE-2019-8325.html
• https://www.suse.com/security/cve/CVE-2020-10663.html
• https://bugzilla.suse.com/1043983
• https://bugzilla.suse.com/1048072
• https://bugzilla.suse.com/1055265
• https://bugzilla.suse.com/1056286
• https://bugzilla.suse.com/1056782
• https://bugzilla.suse.com/1058754
• https://bugzilla.suse.com/1058755
• https://bugzilla.suse.com/1058757
• https://bugzilla.suse.com/1062452
• https://bugzilla.suse.com/1069607
• https://bugzilla.suse.com/1069632
• https://bugzilla.suse.com/1073002
• https://bugzilla.suse.com/1078782
• https://bugzilla.suse.com/1082007
• https://bugzilla.suse.com/1082008
• https://bugzilla.suse.com/1082009
• https://bugzilla.suse.com/1082010
• https://bugzilla.suse.com/1082011
• https://bugzilla.suse.com/1082014
• https://bugzilla.suse.com/1082058
• https://bugzilla.suse.com/1087433
• https://bugzilla.suse.com/1087434
• https://bugzilla.suse.com/1087436
• https://bugzilla.suse.com/1087437
• https://bugzilla.suse.com/1087440
• https://bugzilla.suse.com/1087441
• https://bugzilla.suse.com/1112530
• https://bugzilla.suse.com/1112532
• https://bugzilla.suse.com/1130611
• https://bugzilla.suse.com/1130617
• https://bugzilla.suse.com/1130620
• https://bugzilla.suse.com/1130622
• https://bugzilla.suse.com/1130623
• https://bugzilla.suse.com/1130627
• https://bugzilla.suse.com/1152990
• https://bugzilla.suse.com/1152992
• https://bugzilla.suse.com/1152994
• https://bugzilla.suse.com/1152995
• https://bugzilla.suse.com/1171517
• https://bugzilla.suse.com/1172275