An update for ruby is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-1780 Final 1.0 1.0 2024-06-28 Initial 2024-06-28 2024-06-28 openEuler SA Tool V1.0 2024-06-28 ruby security update An update for ruby is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP3 Ruby is a fast and easy interpreted scripting language for object-oriented programming. It has many functions for processing text Files and perform system management tasks (such as Perl). Security Fix(es): Rubygems.org is the Ruby community's gem hosting service. A Gem publisher can cause a Remote DoS when publishing a Gem. This is due to how Ruby reads the Manifest of Gem files when using Gem::Specification.from_yaml. from_yaml makes use of SafeYAML.load which allows YAML aliases inside the YAML-based metadata of a gem. YAML aliases allow for Denial of Service attacks with so-called `YAML-bombs` (comparable to Billion laughs attacks). This was patched. There is is no action required by users. This issue is also tracked as GHSL-2024-001 and was discovered by the GitHub security lab.(CVE-2024-35221) An update for ruby is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP3. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium ruby https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1780 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2024-35221 https://nvd.nist.gov/vuln/detail/CVE-2024-35221 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP3 rubygem-io-console-0.4.6-125.oe2003sp4.aarch64.rpm rubygem-openssl-2.1.2-125.oe2003sp4.aarch64.rpm ruby-devel-2.5.8-125.oe2003sp4.aarch64.rpm rubygem-json-2.1.0-125.oe2003sp4.aarch64.rpm rubygem-bigdecimal-1.3.4-125.oe2003sp4.aarch64.rpm ruby-2.5.8-125.oe2003sp4.aarch64.rpm rubygem-psych-3.0.2-125.oe2003sp4.aarch64.rpm ruby-debuginfo-2.5.8-125.oe2003sp4.aarch64.rpm ruby-debugsource-2.5.8-125.oe2003sp4.aarch64.rpm ruby-debugsource-3.0.3-135.oe2203sp1.aarch64.rpm ruby-debuginfo-3.0.3-135.oe2203sp1.aarch64.rpm rubygem-io-console-0.5.7-135.oe2203sp1.aarch64.rpm rubygem-openssl-2.2.1-135.oe2203sp1.aarch64.rpm ruby-3.0.3-135.oe2203sp1.aarch64.rpm rubygem-json-2.5.1-135.oe2203sp1.aarch64.rpm rubygem-psych-3.3.2-135.oe2203sp1.aarch64.rpm rubygem-bigdecimal-3.0.0-135.oe2203sp1.aarch64.rpm ruby-devel-3.0.3-135.oe2203sp1.aarch64.rpm rubygem-bigdecimal-3.0.0-135.oe2203sp3.aarch64.rpm ruby-3.0.3-135.oe2203sp3.aarch64.rpm rubygem-io-console-0.5.7-135.oe2203sp3.aarch64.rpm rubygem-json-2.5.1-135.oe2203sp3.aarch64.rpm ruby-devel-3.0.3-135.oe2203sp3.aarch64.rpm rubygem-psych-3.3.2-135.oe2203sp3.aarch64.rpm ruby-debuginfo-3.0.3-135.oe2203sp3.aarch64.rpm ruby-debugsource-3.0.3-135.oe2203sp3.aarch64.rpm rubygem-openssl-2.2.1-135.oe2203sp3.aarch64.rpm rubygem-rdoc-6.0.1.1-125.oe2003sp4.noarch.rpm rubygems-devel-2.7.6-125.oe2003sp4.noarch.rpm rubygem-minitest-5.10.3-125.oe2003sp4.noarch.rpm rubygem-test-unit-3.2.7-125.oe2003sp4.noarch.rpm rubygem-net-telnet-0.1.1-125.oe2003sp4.noarch.rpm rubygem-rake-12.3.0-125.oe2003sp4.noarch.rpm rubygems-2.7.6-125.oe2003sp4.noarch.rpm ruby-help-2.5.8-125.oe2003sp4.noarch.rpm rubygem-xmlrpc-0.3.0-125.oe2003sp4.noarch.rpm rubygem-power_assert-1.1.1-125.oe2003sp4.noarch.rpm rubygem-did_you_mean-1.2.0-125.oe2003sp4.noarch.rpm ruby-irb-2.5.8-125.oe2003sp4.noarch.rpm ruby-irb-3.0.3-135.oe2203sp1.noarch.rpm rubygems-3.2.32-135.oe2203sp1.noarch.rpm rubygem-did_you_mean-1.5.0-135.oe2203sp1.noarch.rpm rubygem-minitest-5.14.2-135.oe2203sp1.noarch.rpm rubygem-bundler-2.2.32-135.oe2203sp1.noarch.rpm rubygem-rake-13.0.3-135.oe2203sp1.noarch.rpm rubygem-test-unit-3.3.7-135.oe2203sp1.noarch.rpm ruby-help-3.0.3-135.oe2203sp1.noarch.rpm rubygem-rexml-3.2.5-135.oe2203sp1.noarch.rpm rubygem-rss-0.2.9-135.oe2203sp1.noarch.rpm rubygems-devel-3.2.32-135.oe2203sp1.noarch.rpm rubygem-rbs-1.4.0-135.oe2203sp1.noarch.rpm rubygem-rdoc-6.3.3-135.oe2203sp1.noarch.rpm rubygem-typeprof-0.15.2-135.oe2203sp1.noarch.rpm rubygem-bundler-2.2.32-135.oe2203sp3.noarch.rpm rubygem-rbs-1.4.0-135.oe2203sp3.noarch.rpm rubygem-rdoc-6.3.3-135.oe2203sp3.noarch.rpm rubygem-rake-13.0.3-135.oe2203sp3.noarch.rpm rubygem-did_you_mean-1.5.0-135.oe2203sp3.noarch.rpm rubygems-devel-3.2.32-135.oe2203sp3.noarch.rpm ruby-irb-3.0.3-135.oe2203sp3.noarch.rpm rubygem-typeprof-0.15.2-135.oe2203sp3.noarch.rpm rubygem-rexml-3.2.5-135.oe2203sp3.noarch.rpm rubygem-minitest-5.14.2-135.oe2203sp3.noarch.rpm ruby-help-3.0.3-135.oe2203sp3.noarch.rpm rubygems-3.2.32-135.oe2203sp3.noarch.rpm rubygem-test-unit-3.3.7-135.oe2203sp3.noarch.rpm rubygem-rss-0.2.9-135.oe2203sp3.noarch.rpm ruby-2.5.8-125.oe2003sp4.src.rpm ruby-3.0.3-135.oe2203sp1.src.rpm ruby-3.0.3-135.oe2203sp3.src.rpm rubygem-bigdecimal-1.3.4-125.oe2003sp4.x86_64.rpm ruby-debugsource-2.5.8-125.oe2003sp4.x86_64.rpm rubygem-json-2.1.0-125.oe2003sp4.x86_64.rpm ruby-2.5.8-125.oe2003sp4.x86_64.rpm rubygem-io-console-0.4.6-125.oe2003sp4.x86_64.rpm rubygem-openssl-2.1.2-125.oe2003sp4.x86_64.rpm rubygem-psych-3.0.2-125.oe2003sp4.x86_64.rpm ruby-devel-2.5.8-125.oe2003sp4.x86_64.rpm ruby-debuginfo-2.5.8-125.oe2003sp4.x86_64.rpm rubygem-psych-3.3.2-135.oe2203sp1.x86_64.rpm rubygem-json-2.5.1-135.oe2203sp1.x86_64.rpm rubygem-bigdecimal-3.0.0-135.oe2203sp1.x86_64.rpm rubygem-openssl-2.2.1-135.oe2203sp1.x86_64.rpm rubygem-io-console-0.5.7-135.oe2203sp1.x86_64.rpm ruby-debugsource-3.0.3-135.oe2203sp1.x86_64.rpm ruby-3.0.3-135.oe2203sp1.x86_64.rpm ruby-devel-3.0.3-135.oe2203sp1.x86_64.rpm ruby-debuginfo-3.0.3-135.oe2203sp1.x86_64.rpm ruby-3.0.3-135.oe2203sp3.x86_64.rpm rubygem-bigdecimal-3.0.0-135.oe2203sp3.x86_64.rpm rubygem-psych-3.3.2-135.oe2203sp3.x86_64.rpm rubygem-openssl-2.2.1-135.oe2203sp3.x86_64.rpm rubygem-io-console-0.5.7-135.oe2203sp3.x86_64.rpm ruby-devel-3.0.3-135.oe2203sp3.x86_64.rpm ruby-debuginfo-3.0.3-135.oe2203sp3.x86_64.rpm ruby-debugsource-3.0.3-135.oe2203sp3.x86_64.rpm rubygem-json-2.5.1-135.oe2203sp3.x86_64.rpm Rubygems.org is the Ruby community's gem hosting service. A Gem publisher can cause a Remote DoS when publishing a Gem. This is due to how Ruby reads the Manifest of Gem files when using Gem::Specification.from_yaml. from_yaml makes use of SafeYAML.load which allows YAML aliases inside the YAML-based metadata of a gem. YAML aliases allow for Denial of Service attacks with so-called `YAML-bombs` (comparable to Billion laughs attacks). This was patched. There is is no action required by users. This issue is also tracked as GHSL-2024-001 and was discovered by the GitHub security lab. 2024-06-28 CVE-2024-35221 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP3 Medium 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L ruby security update 2024-06-28 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1780