An update for ruby is now available for master/openEuler-24.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-1938 Final 1.0 1.0 2024-08-02 Initial 2024-08-02 2024-08-02 openEuler SA Tool V1.0 2024-08-02 ruby security update An update for ruby is now available for master/openEuler-24.03-LTS. Ruby is a fast and easy interpreted scripting language for object-oriented programming. It has many functions for processing text Files and perform system management tasks (such as Perl). Security Fix(es): Rubygems.org is the Ruby community's gem hosting service. A Gem publisher can cause a Remote DoS when publishing a Gem. This is due to how Ruby reads the Manifest of Gem files when using Gem::Specification.from_yaml. from_yaml makes use of SafeYAML.load which allows YAML aliases inside the YAML-based metadata of a gem. YAML aliases allow for Denial of Service attacks with so-called `YAML-bombs` (comparable to Billion laughs attacks). This was patched. There is is no action required by users. This issue is also tracked as GHSL-2024-001 and was discovered by the GitHub security lab.(CVE-2024-35221) An update for ruby is now available for master/openEuler-24.03-LTS. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium ruby https://www.openeuler.org/en/security/security-bulletins/detail?id=openEuler-SA-2024-1938 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-35221 https://nvd.nist.gov/vuln/detail/CVE-2024-35221 openEuler-24.03-LTS rubygem-bigdecimal-3.1.3-142.oe2403.aarch64.rpm rubygem-json-2.6.3-142.oe2403.aarch64.rpm ruby-3.2.2-142.oe2403.aarch64.rpm ruby-debugsource-3.2.2-142.oe2403.aarch64.rpm rubygem-io-console-0.6.0-142.oe2403.aarch64.rpm ruby-devel-3.2.2-142.oe2403.aarch64.rpm ruby-bundled-gems-3.2.2-142.oe2403.aarch64.rpm rubygem-psych-5.0.1-142.oe2403.aarch64.rpm ruby-debuginfo-3.2.2-142.oe2403.aarch64.rpm rubygem-openssl-3.1.0-142.oe2403.aarch64.rpm rubygem-rbs-2.8.2-142.oe2403.aarch64.rpm rubygem-did_you_mean-1.6.3-142.oe2403.noarch.rpm rubygem-rexml-3.2.5-142.oe2403.noarch.rpm rubygem-test-unit-3.5.7-142.oe2403.noarch.rpm ruby-irb-3.2.2-142.oe2403.noarch.rpm rubygem-minitest-5.16.3-142.oe2403.noarch.rpm rubygems-3.4.10-142.oe2403.noarch.rpm rubygems-devel-3.4.10-142.oe2403.noarch.rpm rubygem-rake-13.0.6-142.oe2403.noarch.rpm rubygem-rdoc-6.5.0-142.oe2403.noarch.rpm ruby-help-3.2.2-142.oe2403.noarch.rpm rubygem-rss-0.2.9-142.oe2403.noarch.rpm rubygem-typeprof-0.21.3-142.oe2403.noarch.rpm ruby-3.2.2-142.oe2403.src.rpm rubygem-rbs-2.8.2-142.oe2403.x86_64.rpm rubygem-json-2.6.3-142.oe2403.x86_64.rpm ruby-3.2.2-142.oe2403.x86_64.rpm rubygem-openssl-3.1.0-142.oe2403.x86_64.rpm ruby-debuginfo-3.2.2-142.oe2403.x86_64.rpm ruby-bundled-gems-3.2.2-142.oe2403.x86_64.rpm rubygem-io-console-0.6.0-142.oe2403.x86_64.rpm ruby-debugsource-3.2.2-142.oe2403.x86_64.rpm ruby-devel-3.2.2-142.oe2403.x86_64.rpm rubygem-psych-5.0.1-142.oe2403.x86_64.rpm rubygem-bigdecimal-3.1.3-142.oe2403.x86_64.rpm Rubygems.org is the Ruby community's gem hosting service. A Gem publisher can cause a Remote DoS when publishing a Gem. This is due to how Ruby reads the Manifest of Gem files when using Gem::Specification.from_yaml. from_yaml makes use of SafeYAML.load which allows YAML aliases inside the YAML-based metadata of a gem. YAML aliases allow for Denial of Service attacks with so-called `YAML-bombs` (comparable to Billion laughs attacks). This was patched. There is is no action required by users. This issue is also tracked as GHSL-2024-001 and was discovered by the GitHub security lab. 2024-08-02 CVE-2024-35221 openEuler-24.03-LTS Medium 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L ruby security update 2024-08-02 https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1938