|
|
Subscribe / Log in / New account

Mageia alert MGASA-2020-0285 (ruby)



From:
              Mageia Updates <buildsystem-daemon@mageia.org> 


To:
              updates-announce@ml.mageia.org 


Subject:
              [updates-announce] MGASA-2020-0285: Updated ruby packages fix security vulnerability 


Date:
              Tue, 7 Jul 2020 15:48:36 +0200


Message-ID:
              <20200707134836.BB7AF9F6EB@duvel.mageia.org>


MGASA-2020-0285 - Updated ruby packages fix security vulnerability

Publication date: 07 Jul 2020
URL: https://advisories.mageia.org/MGASA-2020-0285.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2020-10933

Description:
Updated ruby packages fix security vulnerability:

An issue was discovered in Ruby through 2.5.7. If a victim calls
BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method
resizes the buffer to fit the requested size, but no data is copied. Thus, the
buffer string provides the previous value of the heap. This may expose possibly
sensitive data from the interpreter (CVE-2020-10933).

References:
- https://bugs.mageia.org/show_bug.cgi?id=26409
- https://www.ruby-lang.org/en/news/2020/03/31/heap-exposur...
- https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-5-8-r...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1...

SRPMS:
- 7/core/ruby-2.5.8-21.mga7
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds