summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/ruby/ruby/CVE-2021-31810.patch
AgeCommit message (Collapse)Author
2022-03-07ruby : update to 3.0.3Lee Chee Yang
Do not tweak a file that is no longer installed. Ruby 3.0.3 includes security fixes. CVE-2021-41817: Regular Expression Denial of Service Vulnerability of Date Parsing Methods CVE-2021-41816: Buffer Overrun in CGI.escape_html CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse Ruby 3.0.2 release includes security fixes. CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP CVE-2021-31799: A command injection vulnerability in RDoc Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
2021-09-15ruby: Security fixes for CVE-2021-31810/CVE-2021-32066Yi Zhao
CVE-2021-31810: A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes Net::FTP extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port scans and service banner extractions). CVE-2021-32066: Net::IMAP does not raise an exception when StartTLS fails with an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.” References: https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/ https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/ Patches from: https://github.com/ruby/ruby/commit/bf4d05173c7cf04d8892e4b64508ecf7902717cd https://github.com/ruby/ruby/commit/e2ac25d0eb66de99f098d6669cf4f06796aa6256 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-05-25 14:53:53 +0000