Ubuntu Security Notice 5235-1 - It was discovered that Ruby incorrectly handled certain HTML files. An attacker could possibly use this issue to cause a crash. This issue only affected Ubuntu 20.04 LTS, Ubuntu 21.04, and Ubuntu 21.10. It was discovered that Ruby incorrectly handled certain regular expressions. An attacker could possibly use this issue to cause a regular expression denial of service.
a6359db1c94f5fd218ffeb0030ff14aadcb0e1fa663d178749a56f56c3ad47c9
=========================================================================
Ubuntu Security Notice USN-5235-1
January 18, 2022
ruby2.3, ruby2.5, ruby2.7 vulnerabilities
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 21.10
- Ubuntu 21.04
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
Summary:
Several security issues were fixed in Ruby.
Software Description:
- ruby2.7: Object-oriented scripting language
- ruby2.5: Object-oriented scripting language
- ruby2.3: Object-oriented scripting language
Details:
It was discovered that Ruby incorrectly handled certain HTML files.
An attacker could possibly use this issue to cause a crash. This
issue only affected Ubuntu 20.04 LTS, Ubuntu 21.04, and Ubuntu 21.10.
(CVE-2021-41816)
It was discovered that Ruby incorrectly handled certain regular expressions.
An attacker could possibly use this issue to cause a regular expression
denial of service. (CVE-2021-41817)
It was discovered that Ruby incorrectly handled certain cookie names.
An attacker could possibly use this issue to access or expose
sensitive information. (CVE-2021-41819)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 21.10:
ruby2.7 2.7.4-1ubuntu3.1
Ubuntu 21.04:
ruby2.7 2.7.2-4ubuntu1.3
Ubuntu 20.04 LTS:
ruby2.7 2.7.0-5ubuntu1.6
Ubuntu 18.04 LTS:
ruby2.5 2.5.1-1ubuntu1.11
Ubuntu 16.04 ESM:
ruby2.3 2.3.1-2~ubuntu16.04.16+esm2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5235-1
CVE-2021-41816, CVE-2021-41817, CVE-2021-41819
Package Information:
https://launchpad.net/ubuntu/+source/ruby2.7/2.7.4-1ubuntu3.1
https://launchpad.net/ubuntu/+source/ruby2.7/2.7.2-4ubuntu1.3
https://launchpad.net/ubuntu/+source/ruby2.7/2.7.0-5ubuntu1.6
https://launchpad.net/ubuntu/+source/ruby2.5/2.5.1-1ubuntu1.11