Ubuntu alert USN-7091-2 (ruby2.7)

From:
             
 
Nishit Majithia <nishit.majithia@canonical.com>
To:
             
 
ubuntu-security-announce@lists.ubuntu.com
Subject:
             
 
[USN-7091-2] Ruby vulnerabilities
Date:
             
 
Thu, 21 Nov 2024 10:45:47 +0530
Message-ID:
             
 
<o3ogr37t5of7q5jpvn23ydl5mvvfzvixusk7handz7q64kgefq@2mwdrfklijzp>
==========================================================================
Ubuntu Security Notice USN-7091-2
November 21, 2024

ruby2.7 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in Ruby.

Software Description:
- ruby2.7: Object-oriented scripting language

Details:

USN-7091-1 fixed several vulnerabilities in Ruby. This update provides the
corresponding update for ruby2.7 in Ubuntu 20.04 LTS.

Original advisory details:

 It was discovered that Ruby incorrectly handled parsing of an XML document
 that has specific XML characters in an attribute value using REXML gem. An
 attacker could use this issue to cause Ruby to crash, resulting in a
 denial of service. This issue only affected in Ubuntu 22.04 LTS and Ubuntu
 24.04 LTS. (CVE-2024-35176, CVE-2024-39908, CVE-2024-41123)
 
 It was discovered that Ruby incorrectly handled parsing of an XML document
 that has many entity expansions with SAX2 or pull parser API. An attacker
 could use this issue to cause Ruby to crash, resulting in a denial of
 service. (CVE-2024-41946)
 
 It was discovered that Ruby incorrectly handled parsing of an XML document
 that has many digits in a hex numeric character reference. An attacker
 could use this issue to cause Ruby to crash, resulting in a denial of
 service. (CVE-2024-49761)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS
  libruby2.7                      2.7.0-5ubuntu1.15
  ruby2.7                         2.7.0-5ubuntu1.15

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7091-2
  https://ubuntu.com/security/notices/USN-7091-1
  CVE-2024-35176, CVE-2024-39908, CVE-2024-41123, CVE-2024-41946,
  CVE-2024-49761, https://launchpad.net/bugs/2086615

Package Information:
  https://launchpad.net/ubuntu/+source/ruby2.7/2.7.0-5ubunt...


Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE-----

iQGzBAABCgAdFiEEs16801xnF7wK3rCK7Ic6ztRocjwFAmc+wf4ACgkQ7Ic6ztRo
cjy8vgv+KQWUFbBXoo45kJse8oi7E670t6ATlVW8umyDgl1RAfL65Gq5b5h1B10L
MajfYbIYhBL2EAmde6Bc/uzl//of6IrLFrg7mzH4/VNK1c7HfabV+ACWz+MK01Em
IygJdAt64WZItTNkM9ceSr+ZnI3MRQ1XYF9wZGSqdjOCJ2F+Y/Zf8/am2bWPN83i
jdmYNF65lUJAkwtJ/RnL17MPABSRLgonG8/tV4xQZ+3xEwCby2F4p1EVYmMpoRsg
q61029qHlyvUmn6XcrLaCCjlab1J8ha1ydM/xq6M7v3wZLwxdapHzVS1N07VUrfZ
+NlQIbuSn51YO3GEGWBziuL6UMb7COHQeXeY49APukoU/IaHtO52AF02dgUKQczz
QWlhO9p4ocjeD512zD8f8i2a2mdkLecAUDPDCvGYM+dv2nC0lm4m/NYo3P6No8T2
AGEjseUSh9QpHRPwe74Awan4KzjGIvJuATYPo0ax5ULdMspmt8zLNII7mEdrZ5Xe
nqKvx1Qo
=XXFJ
-----END PGP SIGNATURE-----


Attachment: None (type=text/plain)