An update for rubygem-mini_magick is now available for openEuler-20.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2021-1150 Final 1.0 1.0 2021-05-06 Initial 2021-05-06 2021-05-06 openEuler SA Tool V1.0 2021-05-06 rubygem-mini_magick security update An update for rubygem-mini_magick is now available for openEuler-20.03-LTS-SP1. A ruby wrapper for ImageMagick command line. Using MiniMagick the ruby processes memory remains small (it spawns ImageMagick's command line program mogrify which takes up some memory as well, but is much smaller compared to RMagick). Security Fix(es): In lib/mini_magick/image.rb in MiniMagick before 4.9.4, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernel#open, which accepts a '|' character followed by a command.(CVE-2019-13574) An update for rubygem-mini_magick is now available for openEuler-20.03-LTS-SP1. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High rubygem-mini_magick https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1150 https://openeuler.org/en/security/cve/detail.html?id=CVE-2019-13574 https://nvd.nist.gov/vuln/detail/CVE-2019-13574 openEuler-20.03-LTS-SP1 rubygem-mini_magick-4.8.0-3.oe1.noarch.rpm rubygem-mini_magick-doc-4.8.0-3.oe1.noarch.rpm rubygem-mini_magick-4.8.0-3.oe1.src.rpm In lib/mini_magick/image.rb in MiniMagick before 4.9.4, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernel#open, which accepts a '|' character followed by a command. 2021-05-06 CVE-2019-13574 openEuler-20.03-LTS-SP1 High 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H rubygem-mini_magick security update 2021-05-06 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1150