New Debian ruby2.3 2.3.3-1+deb9u10 fixes: This update addresses the following issues: * Command injection vulnerability in RDoc (CVE-2021-31799) * FTP PASV command response can cause Net::FTP to connect to arbitrary host (CVE-2021-31810) * StartTLS stripping vulnerability in Net::IMAP (CVE-2021-32066)
--- mirror/ftp/4.4/unmaintained/4.4-7/source/ruby2.3_2.3.3-1+deb9u9.dsc +++ apt/ucs_4.4-0-errata4.4-8/source/ruby2.3_2.3.3-1+deb9u10.dsc @@ -1,3 +1,12 @@ +2.3.3-1+deb9u10 [Sun, 19 Sep 2021 09:10:46 +0530] Utkarsh Gupta <utkarsh@debian.org>: + + * Add patch to use File.open to fix the OS Command + Injection vulnerability. (Fixes: CVE-2021-31799) + * Add patch to fix StartTLS stripping vulnerability. + (Fixes: CVE-2021-32066) + * Add patch to ignore IP addresses in PASV responses + by default. (Fixes: CVE-2021-31810) + 2.3.3-1+deb9u9 [Thu, 01 Oct 2020 18:54:55 +0530] Utkarsh Gupta <utkarsh@debian.org>: * Non-maintainer upload by the LTS team. <http://piuparts.knut.univention.de/4.4-8/#5476384689429671213>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-8] 717b61bd97 Bug #53892: ruby2.3 2.3.3-1+deb9u10 doc/errata/staging/ruby2.3.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+)
<https://errata.software-univention.de/#/?erratum=4.4x1069>